Consumer Privacy Protections and Data Security

Following a series of high-profile financial data security breaches, Congress is considering a number of bills that would mandate uniform national standards requiring businesses to protect the security of sensitive personal consumer information, and notify affected consumers when a breach of data security occurs. In addition, these bills include varying provisions on damage mitigation, account monitoring, civil penalties, and prohibitions on private actions. All but two of the pending bills are aimed primarily at preventing identity theft by protecting sensitive personal consumer information used in financial transactions (name, social security, telephone, driver’s license, financial account numbers, etc.), and their preemption of state laws is limited to that information. However, HR 3997 and S 2169 are identical bills that would greatly expand the Fair Credit Reporting Act (FCRA) to broadly preempt state insurance laws that protect the privacy of underwriting and health information held by insurance companies. Due to their excessively wide scope, HR 3997 and S 2169 pose a serious threat to state insurance regulatory authority under Title V of the Gramm-Leach-Bliley Financial Modernization Act (GLBA) of 1999.