John Heasley

John Heasley
TBA General Counsel

Federal laws are needed for privacy and cybersecurity

Two years ago, the credit scoring firm Equifax suffered a breach that compromised the personal information of 148 million people. It recently settled lawsuits and claims for a cost of $700 million.

In July, Capitol One, a $372 billion U.S. credit card bank and conventional lender, realized that over a period of four months a hacker had stolen the information of 106 million credit card customers and applicants. Capitol One’s server was breached through a server hosted on an Amazon Cloud-computing platform.

Capitol One has stated that it will cost $150 million this year to deal with the breach. This amounts to less than $1.50 per victim; estimates of the worldwide settlement costs to Equifax are only $150 per victim. An economist editorial suggest that the price should be $1,000 per victim in order to incentivize investment in data security.

Despite the negligence of a few financial services providers, the banking industry is the gold standard when it comes to customer privacy and data protection. This is due to the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act at the federal level and supervisors like the Texas Department of Banking in our state.

Potential problems are starting to occur when states are beginning to pass their own laws and other industries, like retailers, fail to modernize like the banks have done. If Congress is to act on a data privacy/security initiative it needs to preempt the patchwork of state laws to ensure nationwide consistency.

A Texas bank shouldn’t have to worry about a different set of laws for a California customer. Privacy standards must also apply to third-party service providers. Further, all industries handling sensitive customer data must be held to the higher data protection standards adhered to by the banking industry.

Will Congress do the right thing in this area? In the short term it is highly unlikely. Republican Sen. Mike Crapo of Idaho chairs the Senate Banking Committee. He is working with ranking Democrat Sherrod Brown of Ohio on privacy issues, but they seem more focused on big tech and other data aggregators than they are on the interests of banks.

At a minimum, there appears to be a bipartisan consensus that individuals should be given more control over their data. Even if the Senate were to come up with a data privacy bill, it is unlikely that their Democratic counterparts in the House would agree with it.

The Democrats controlling the House are preoccupied with pursuing impeachment proceedings and getting as much information as they can on the president prior to the 2020 election.

Chairwoman Waters has subpoenaed Trump business records from Deutsche Bank on suspicions of Russian collusion. Deutsche recently announced that they have some Trump tax records, thereby exhilarating Democrats that have been thwarted in two other House committees. The availability of the tax returns will still need to be litigated and House Judiciary is getting closer to formal impeachment hearings.

In August, Waters announced she will hold hearings on data privacy. No mention was made of possible legislation. Worth noting is that with Californians as speaker and chair of the House Financial Services Committee, it is highly unlikely that they would consider a vote on preempting California’s troublesome privacy law. House Democrats are also more inclined to include private rights of action (class actions) if they produce a bill.

As with so many other issues, the future of privacy and data security for our industry depends on what happens in the 2020 elections.