The Honorable Jeb Hensarling Chairman
House Financial Services Committee
2129 Rayburn House Office Building
Washington, DC 20515

Dear Chairman Hensarling:

On behalf of the Conference of State Bank Supervisors (CSBS)¹, I am writing to express state regulators’ opposition to H.R. 6743, the “Consumer Information Notification Requirement Act.” This bill would preempt state data breach notification laws and undermine state authority, limiting states’ ability to protect its residents and oversee state-chartered and state-licensed financial services providers.

Like you and the members of the House Financial Services Committee, state regulators have devoted significant effort and attention to cybersecurity and the importance of ensuring that consumer information is protected by the institutions they oversee. In fact, as we pass the one- year anniversary of the announcement of the Equifax data breach, I note that state regulators came together quickly to conduct a joint examination of Equifax in the aftermath of the company’s September 7, 2017 announcement. This state exam led to a multi-state consent order calling for corrective actions applying to the company’s nationwide operations.²  It is experiences such as the states’ work on Equifax that inform our opposition to H.R. 6743.

Gramm-Leach Bliley Appropriately Establishes A Federal Floor

Data security is a dynamic field with novel risks emerging on a constant basis. It is critical that state regulators and state law enforcement agencies retain the ability to protect consumers in their states. In enacting federal privacy laws, Congress has traditionally recognized the important role filled by the states in setting data breach standards. For example, Title V of the Gramm-Leach- Bliley Act (GLB) requires financial institutions to implement a risk-based response program to address instances of unauthorized access to customer information system.³ Importantly, Section 507 of GLB establishes a floor for data breach and data security laws and expressly reserves the right of states to enact more stringent data breach and privacy laws for the protection of their citizens.⁴

Section 507 was enacted to ensure states retain flexibility to develop regulatory approaches to protecting consumer information that fairly balance the needs of business with the level of privacy protection desired by the consumers residing in their state. Accordingly, federal consumer privacy standards have operated concurrently with more stringent state data breach and privacy laws for close to two decades. The rapid evolution and proliferation of online financial services since the enactment of GLB has made it all the more crucial that states be permitted to serve their constitutional role as “laboratories of democracy” in calibrating the appropriate level of protection for consumer data over and above baseline national standards.

H.R. 6743 Undermines Important State Consumer Protections

H.R. 6743 sets a broadly preemptive federal standard for all financial institutions based on existing guidance issued by the federal banking regulators in 2005. The result is a standard that undermines the state-federal balance while limiting existing consumer protections and constraining state authority. Among existing state laws that would be preempted are laws that specify the types of consumer information covered by data breach notification requirements and that establish consumer data breach notification standards.

H.R. 6743 Undermines State Regulators Authority over State-Licensed Financial Institutions

Additionally, H.R. 6743 would preempt the authority of state regulators by preempting state laws that articulate when regulated entities are required to notify regulators and by preempting state authority to examine licensed nondepository financial institutions for compliance with data breach notification and other data security requirements. The legislation would place nondepository financial institutions solely within the jurisdiction of the Federal Trade Commission (FTC) and require the FTC to establish data breach standards. However, in contrast to the federal banking agencies, the FTC is a law enforcement agency and generally lacks supervisory authority with respect to the rules and requirements within its jurisdiction.
Accordingly, the legislation will, to the detriment of consumers across the country, reduce regulatory oversight of nondepository financial institutions for compliance with data breach notification and data security laws.

Conclusion

State regulators firmly oppose H.R. 6743 for its attempt to preempt state data breach and privacy laws. States have demonstrated their ability to spot emerging risks early and to act with agility in responding to those risks. H.R. 6743 could constrain and preempt state efforts where states are taking a leading role and the federal government has yet to act.

Sincerely,

John W. Ryan President and CEO

Cc    The Hon. Maxine Waters, Ranking Member, House Financial Services Committee
The Hon. Blaine Luetkemeyer, Chairman, Subcommittee on Financial Institutions and Consumer Credit
The Hon. William Lacy Clay, Ranking Member, Subcommittee on Financial Institutions and Consumer Credit

¹ CSBS is the nationwide organization of banking regulators from all 50 states, American Samoa, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands. The mission of CSBS is to support the leadership role of state banking supervisors in advancing the state banking system; ensuring safety and soundness; promoting economic growth and consumer protection; and fostering innovative state regulation of the financial services industry.
State regulators charter and supervise 78 percent of all banks in the United States. In addition, state regulators license and supervise a variety of non-depository financial services. CSBS, on behalf of state regulators, also operates the Nationwide Multistate Licensing System (NMLS) to license and register those engaged in mortgage, money transmission, consumer finance, debt collection, and other non-depository financial services industries.
²        https://www.csbs.org/state-regulators-enter-consent-order-equifax
³ See Gramm-Leach-Bliley Act, Pub. L. No. 106-102, tit. V, 113 Stat. 1338, 1436-1450 (1999) (codified as amended
at 15 U.S.C. §§ 6801-6827).
⁴ See 15 U.S.C. § 6807.