The Conference of State Bank Supervisors (CSBC) said last week that there should be a “floor” for data privacy and security regulations, a statement issued by the Senate Committee on Banking, Housing and Urban Affairs. In a Friday (March 15) letter to the committee, addressed to Senators Mike Crapo (R-ID) and ranking committee member Sherrod Brown (D-OH), the CSBS said a standard (thus, a floor) would let individual states maintain a leading role in protecting consumers.
“For many years, states have been at the forefront in advancing data privacy and security for the protection of consumers residing in their states,” said John Ryan, president and CEO of CSBS, as quoted in the letter. “Accordingly, we believe any federal proposal relating to the collection, use and protection of consumer data must preserve the role for state leadership in the areas of data privacy, security and control.”
The letter comes in response to the committee’s call for comments on how regulation might protect consumers — specifically, data collection and the use of personally identifiable information (PII) have been stated as a “major focus” of the senators “moving forward.”
Amid the topics under examination are how consumers can be alerted to data breaches, and how credit bureaus can work with the most accurate data, as noted by the American Banker. The committee said earlier this year, in commentary from Senator Brown, that “Congress should make it easy for consumers to find out who is collecting personal information about them, and give consumers power over how that data is used, stored and distributed.”
In comments provided to PYMNTS late on Friday, Jim Kurtzke, vice president of communications for CSBS, said a federal floor would be “consistent with legislative precedent.” He pointed to the recent enactment of the California Consumer Privacy Act of 2018 as an example. To recap, that legislation, passed in June, requires credit monitoring and identity theft protection after breaches, among other mandates. Businesses must comply with data deletion requests, and must disclose the information they collect and why that data is being collected.
When asked why a federal “ceiling” might not be an optimal way to address data-focused concerns, Kurtzke said, “The risk that a federal ceiling poses is preempting any state action to make the laws tougher. Here’s a mortgage analogy. During the housing boom in the early 2000s, the OCC preempted state predatory lending laws and, as a result, contributed to widespread foreclosures that led to the mortgage meltdown and U.S. financial crisis.”
In its letter, and through Ryan, the CSBS said this would keep with precedent, as “Title V of the Gramm-Leach-Bliley Act … establishes a floor for data breach and data security laws, and expressly reserves the right of states” to pass more stringent laws. In another example cited by the CSBS, the Fair Credit Reporting Act follows the same approach with respect to the collection, distribution or use of any information on consumers, and the prevention or mitigation of identity theft.
Separately, in terms of regulatory news tied to fraud, legislation came this week from a pair of U.S. senators that would broaden the ability of the Securities and Exchange Commission (SEC) to recover money on behalf of investors victimized in financial crimes.
Specifically, the legislation from Senators John Kennedy (R-LA) and Mark Warner (D-VS) would extend the statute of limitations tied to those crimes from five years to 10 years. The five-year statute of limitations on fraud or financial misconduct had been put in place by the Supreme Court in 2017. The new legislation would give the SEC a decade to pursue restitution, where funds recovered would go to the victims.