[House Report 115-1097]
[From the U.S. Government Publishing Office]


115th Congress    }                                     {       Report
                        HOUSE OF REPRESENTATIVES
 2d Session       }                                     {     115-1097

======================================================================



 
           CONSUMER INFORMATION NOTIFICATION REQUIREMENT ACT

                                _______
                                

 December 21, 2018.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

Mr. Hensarling, from the Committee on Financial Services, submitted the 
                               following

                              R E P O R T

                             together with

                             MINORITY VIEWS

                        [To accompany H.R. 6743]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Financial Services, to whom was referred 
the bill (H.R. 6743) to amend the Gramm-Leach-Bliley Act to 
provide a national standard for financial institution data 
security and breach notification on behalf of all consumers, 
and for other purposes, having considered the same, report 
favorably thereon with an amendment and recommend that the bill 
as amended do pass.
    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Consumer Information Notification 
Requirement Act''.

SEC. 2. BREACH NOTIFICATION STANDARDS.

  Section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) is 
amended--
          (1) in subsection (b)(3) by striking the period at the end 
        and inserting ``, including through the provision of a breach 
        notice in the event of unauthorized access that is reasonably 
        likely to result in identity theft, fraud, or economic loss.''; 
        and
          (2) by adding at the end the following:
  ``(c) Standards With Respect to Breach Notification.--Subject to 
section 504(a)(2) and sections 505(b) and 505(c), within 6 months after 
the date of enactment of this subsection, each agency or authority 
required to establish standards described under subsection (b)(3) with 
respect to the provision of a breach notice shall ensure that such 
standards are in compliance with subsection (b).
  ``(d) Insurance.--
          ``(1) Enforcement.--Notwithstanding section 505(a)(6), with 
        respect to an entity engaged in providing insurance, the 
        standards under subsection (b) shall be enforced--
                  ``(A) with respect to any such standards related to 
                data security safeguards, by--
                          ``(i) the State insurance authority of the 
                        State in which the entity is domiciled; or
                          ``(ii) in the case of an insurance agency or 
                        brokerage, the State insurance authority of the 
                        State in which such agency or brokerage has its 
                        principal place of business; and
                  ``(B) with respect to any such standards related to 
                notification of the breach of data security, by the 
                State insurance authority of any State in which 
                customers of the entity are affected by such a breach 
                of data security.
          ``(2) Notification by assuming insurer.--
                  ``(A) In general.--Notwithstanding subsection (b), an 
                assuming insurer that experiences a breach of data 
                security shall only be required to notify the State 
                insurance authority of the State in which the assuming 
                insurer is domiciled.
                  ``(B) Assuming insurer defined.--For purposes of this 
                paragraph, the term `assuming insurer' means an entity 
                engaged in providing insurance that acquires an 
                insurance obligation or risk from another entity 
                engaged in providing insurance pursuant to a 
                reinsurance agreement.
          ``(3) Safeguards for insurance customers.--In carrying out 
        subsection (b) with respect to an entity engaged in providing 
        insurance, a State insurance authority shall establish the 
        standards for safeguarding customer information maintained by 
        entities engaged in activities described in section 4(k)(4)(B) 
        of the Bank Holding Company Act of 1956 (12 U.S.C. 
        1843(4)(k)(4)(B)) that are the same as the standards contained 
        in the interagency guidelines issued by the Comptroller of the 
        Currency, the Board of Governors of the Federal Reserve Board, 
        the Federal Deposit Insurance Corporation, and the Office of 
        Thrift Supervision titled `Interagency Guidelines Establishing 
        Standards for Safeguarding Customer Information', published 
        February 1, 2001 (66 Fed. Reg. 8633), and such standards shall 
        be applied as if the entity engaged in providing insurance was 
        a bank to the extent appropriate and practicable.''.

SEC. 3. PREEMPTION WITH RESPECT TO FINANCIAL INSTITUTION SAFEGUARDS.

  Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is amended 
to read as follows:

``SEC. 507. RELATION TO STATE LAWS.

  ``(a) In General.--This subtitle preempts any law, rule, regulation, 
requirement, standard, or other provision having the force and effect 
of law of any State, or political subdivision of a State, with respect 
to a financial institution or affiliate thereof securing personal 
information from unauthorized access or acquisition, including 
notification of unauthorized access or acquisition of data.
  ``(b) Insurance.--Subsection (a) shall not prevent a State or 
political subdivision of a State from establishing the standards for 
entities engaged in providing insurance required by sections 501(c) and 
501(d), provided the standards established by such State or political 
subdivision do not impose any requirement that is in addition to or 
different from those standards, except where necessary to effectuate 
the purposes of this subtitle.''.

                          Purpose and Summary

    Introduced by Representative Blaine Luetkemeyer on 
September 7, 2018, H.R. 6743, the ``Consumer Information 
Notification Requirement Act'' amends the Gramm-Leach-Bliley 
Act (GLBA) [P.L. 106-102] to direct the federal financial 
regulatory agencies,\1\ within six months of enactment, to 
establish or update a federal standard for consumer 
notification for covered entities in the event of unauthorized 
access of non-public personal information that is likely to 
result in identity theft, fraud, or economic loss to consumers. 
Covered entities include banks, credit unions, brokers, 
dealers, investment companies, investment advisors, insurance 
companies, credit reporting agencies, and all other nonbank 
financial institutions regulated under the Federal Trade 
Commission's (FTC) Safeguards Rule.\2\ The bill also adds 
explicit language that state insurance regulators have the 
responsibility to establish and enforce data security 
safeguards comparable to the 2001 Interagency Guidelines 
Establishing Standards for Safeguarding Customer 
Information.\3\ This bill would require the state insurance 
regulators to create a uniform data security and data breach 
standard for insurance companies.
---------------------------------------------------------------------------
    \1\Agencies includes the OCC, Federal Reserve, FDIC, NCUA, BCFP, 
SEC, FTC, and state insurance regulators.
    \2\The Safeguards Rule requires financial institutions under FTC 
jurisdiction to have measures in place to keep customer information 
secure. In addition to developing their own safeguards, companies 
covered by the Rule are responsible for taking steps to ensure that 
their affiliates and service providers safeguard customer information 
in their care. https://www.ftc.gov/enforcement/rules/rulemaking-
regulatory-reform-proceedings/safeguards-rule. Standards for 
Safeguarding Customer Information; Final Rule. 16 CFR Sec. 314. 2002. 
Available at https://www.ftc.gov/sites/default/files/documents/
federal_register_notices/standards-safeguarding-customer-information-
16-cfr-part-314/020523standardsforsafeguardingcustomerinformation.pdf.
    \3\See Federal Reserve, ``Interagency Guidelines Establishing 
Standards for Safeguarding Customer Information.'' (2001). Available at 
https://www.federalreserve.gov/boarddocs/srletters/2001/sr0115a1.pdf.
---------------------------------------------------------------------------

                  Background and Need for Legislation

    In response to competitive pressure in the financial 
services marketplace, as well as increased demands for 
convenience from consumers, financial institutions are becoming 
increasingly reliant on electronic storage and transmission of 
personal financial data. As the amount of electronically 
accessible data increases, so does the amount of sensitive data 
that is vulnerable to the risk of theft. This increased 
exposure to risk has also created an expectation from consumers 
that institutions ensure the security of personal and financial 
information data.
    Over the last several years, numerous U.S. companies of 
varying sizes and from various industries have experienced 
major data breaches. In November and December of 2013, 
cybercriminals breached the data security of Target, one of the 
largest U.S. retail chains, stealing the personal and financial 
information of millions of customers. On December 19, 2013, 
Target confirmed that some 40 million credit and debit card 
account numbers had been stolen. On January 10, 2014, Target 
announced that personal information, including the names, 
addresses, phone numbers, and email addresses of up to 70 
million customers, was also stolen during the data breach.\4\ 
In September 2017, one the of three credit reporting bureaus, 
Equifax, announced a breach that compromised the personal and 
financial data of over 145 million consumers, or, nearly one-
third of the U.S. population.\5\ These incidents underscore the 
serious threats to financial privacy and data security posed by 
individuals and criminal syndicates--some based overseas--that 
seek access to personal financial data to commit fraud or 
identity theft.
---------------------------------------------------------------------------
    \4\Congressional Research Service, The Target and Other Financial 
Data Breaches: Frequently Asked Questions February 4, 2015 (R43496), N. 
Eric Weiss, Specialist in Financial Economics and Rena S. Miller, 
Specialist in Financial Economics, available at http://www.crs.gov/
Reports/
R43496?source=search&guid=eda354c09eb4496c9b03690e65bf5f4f&index=0.
    \5\https://www.equifaxsecurity2017.com/.
---------------------------------------------------------------------------
    Data breaches affect consumers in two ways. First, data 
breaches subject consumers to uncertainty and confusion. 
Consumers may lose confidence in the payments system when they 
hear about data breaches, even if they are not directly 
affected. Second, data breaches and the improper accessing of 
Personal Identifiable Information (PII) increase consumers' 
vulnerability to identity theft, leading to further 
inconvenience, potential legal issues and possible financial 
loss.
    Protecting information and systems from major cyber 
threats, such as cyber theft, cyber terrorism, cyber warfare, 
and cyber espionage, must be a priority for Congress. 
Cybersecurity incidents include data breaches, in which 
sensitive, personal, or confidential information has 
potentially been viewed, stolen, or used by an individual 
unauthorized to do so. The financial sector is a frequent 
target for cyber incidents, and past incidents have shown the 
potential risks posed by the financial sector's 
interconnectedness with other major sectors of the economy.

     STATE LAW GOVERNING DATA SECURITY AND DATA BREACH NOTIFICATION

    Currently, only a few specific industries of the private-
sector economy are required by federal law to notify consumers 
when a data breach may have compromised consumers' PII. These 
include financial institutions covered by the Gramm-Leach 
Bliley Act (GLBA).
    Forty-eight states, the District of Columbia, Guam, Puerto 
Rico and the Virgin Islands have enacted legislation to require 
private or governmental entities to notify individuals of 
security breaches of information involving PII.\6\ The 
requirements vary by state, but most states require 
notification ``in the most expedient time possible'' or 
``without unreasonable delay.''
---------------------------------------------------------------------------
    \6\http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx.
---------------------------------------------------------------------------
    Some state laws impose general data security standards as 
well. Seventeen states and territories permit a private right 
of action pertaining to data breaches or data breach 
notifications.
    And yet, the Equifax breach has reaffirmed that data 
security is a national problem that requires a national 
solution. The patchwork of state laws that comprise the legal 
and regulatory data security and breach notification regime 
have caused both confusion and a lack of accountability as 
cyber criminals continue to steal valuable PII from consumers.

Data Security Standards for Financial Institutions

    Despite continued data breaches, financial institutions and 
retailers argue that further data security legislation and 
regulation may be unnecessary or counterproductive. Financial 
institutions point out that, unlike most other sectors of the 
economy, they are already subject to laws and regulations that 
require them to safeguard confidential customer data. They also 
point out that they have an incentive to safeguard customer 
data because a data breach will damage their relationships with 
their customers and tarnish their brands. For these reasons, 
financial institutions monitor and update their security 
controls to reduce fraud and guard against security breaches.
    As new threats develop, so to must the controls that 
mitigate the risks. As financial institutions are developing or 
reviewing their information security protocols can draw upon a 
variety of sources, including federal laws and regulations and 
numerous security-related guidance, in addition to several 
other entities that provide voluntary standards or information-
gathering roles.
    Financial institutions are required to institute sufficient 
risk management procedures to ensure their safety and 
soundness, and to ensure compliance with federal and state laws 
and regulations. The Federal Financial Institutions Examination 
Council (FFIEC) prescribes uniform principles, standards, and 
report forms for the federal examination of financial 
institutions and makes recommendations to promote uniformity in 
the supervision of financial institutions.\7\ The FFIEC's 
members include the Office of the Comptroller of the Currency 
(OCC), the Federal Deposit Insurance Corporation (FDIC), the 
Board of Governors of the Federal Reserve System (Federal 
Reserve), the Consumer Financial Protection Bureau (BCFP), and 
the National Credit Union Administration (NCUA), as well as a 
representative state regulator.
---------------------------------------------------------------------------
    \7\https://www.ffiec.gov/about.htm.
---------------------------------------------------------------------------
    In 2005 the FFIEC published in the Federal Register the 
Interagency Guidance on Response Programs for Unauthorized 
Access to Customer Information and Customer Notice (Interagency 
Guidance).\8\ This guidance requires customer notice as the key 
feature of an entities response program and states:
---------------------------------------------------------------------------
    \8\https://www.gpo.gov/fdsys/pkg/FR-2005-03-29/pdf/05-5980.pdf.

        ``every financial institution should develop and 
        implement a response program designed to address 
        incidents of unauthorized access to customer 
        information maintained by the institution or its 
        service provider. The final Guidance provides each 
        financial institution with greater flexibility to 
        design a risk-based response program tailored to the 
        size, complexity and nature of its operations.''\9\
---------------------------------------------------------------------------
    \9\https://www.gpo.gov/fdsys/pkg/FR-2005-03-29/pdf/05-5980.pdf.

    To ensure financial institutions adhere to these principles 
the 2005 Interagency Guidance requires the following of 
breached entities:
           Assessing the nature and scope of an 
        incident and identifying what customer information 
        systems and types of customer information have been 
        accessed or misused,
           Notifying its primary federal regulator ``as 
        soon as possible'' when the institution becomes aware 
        of an incident involving unauthorized access to or use 
        of sensitive customer information,
           Consistent with the Agencies' Suspicious 
        Activity Report (``SAR'') regulations, notifying 
        appropriate law enforcement authorities, in addition to 
        filing a timely SAR in situations involving federal 
        criminal violations requiring immediate attention, such 
        as when a reportable violation is ongoing,
           Taking appropriate steps to contain and 
        control the incident to prevent further unauthorized 
        access to or use of customer information,
           Notifying customers when warranted and ``as 
        soon as possible'', with a delay only at the directive 
        of law enforcement agency for investigation 
        purposes.\10\
---------------------------------------------------------------------------
    \10\https://www.fdic.gov/news/news/financial/2005/fil2705a.pdf.
---------------------------------------------------------------------------
    A flexible and scalable standard guarantees that a 
financial institution can both notify its customers and 
undertake corrective action from the breached entity in the 
necessary and appropriate timeframes. A scalable standard does 
not hamper law enforcement during the course of their 
investigation.
    Additionally the FFIEC has published an Information 
Security Handbook to assist examiners evaluate a financial 
institution's cybersecurity management.\11\ The handbook 
provides guidance on information security risk assessment, 
security controls, and security monitoring. The handbook also 
addresses outsourced operations and requires that financial 
institutions exercise their security responsibilities for 
outsourced operations through: due diligence in selecting 
service providers; contractual delineation of security 
responsibilities, controls, and reporting; contractual 
provisions addressing nondisclosure of data; independent audits 
of the service provider's security; and coordinated incident 
response and notification requirements. In addition, federal 
statutes provide the federal financial regulators with 
authority to monitor third-party service providers. Banks and 
other covered depository institutions are examined every 12 to 
18 months for compliance with the cybersecurity handbook, and 
may be examined more frequently at a regulator's discretion.
---------------------------------------------------------------------------
    \11\http://ithandbook.ffiec.gov/it-booklets/information-
security.aspx.
---------------------------------------------------------------------------
    Title V of GLBA requires that financial institutions 
provide customers with notice of their privacy policies and 
safeguard the security and confidentiality of customer 
information, to protect against any anticipated threats or 
hazards to the security or integrity of such records, and to 
protect against unauthorized access to or use of such records 
or information which could result in substantial harm or 
inconvenience to any customer. Section 4(k) of the Bank Holding 
Company Act of 1956 and accompanying regulations define 
financial institutions as businesses that are engaged in 
certain ``financial activities.'' Such activities include 
traditional banking, lending, and insurance functions, along 
with other financial activities.
    GLBA requires regulators of ``financial institutions'' to 
develop and impose upon financial institutions standards for 
administrative, technical, and physical safeguards to protect 
the security, confidentiality, and integrity of customer 
information. GLBA delegates enforcement and rulemaking 
authority to the federal banking and securities regulators and 
the state insurance regulators. For ``financial institutions'' 
not regulated by one of these functional regulators, the FTC 
imposes safeguards provided the ``financial institution'' is 
``significantly engaged in financial activities.'' GLBA does 
not set forth independent authority for the regulators. The 
regulators must use authority available to them under other 
statutes, such as their organic statutes, or, in the case of 
the FTC, section 5 of the Federal Trade Commission Act. There 
is no private right of action for failure to adhere to GLBA's 
privacy standards.
    The federal banking agencies monitor banking companies for 
safety and soundness and compliance with laws and regulations 
by on-site examinations--at least annually and every 18 months 
for some community banks. Included in the examination is a 
comprehensive review of information technology and security. 
The GLBA safeguards standards are integrated into the overall 
IT examination. In addition, since 2001, the banking agencies 
have issued a series of guidelines, which have the force of 
law, detailing how the GLBA safeguards requirements are to be 
put into effect. The guidelines require that financial 
institutions develop security programs that are tailored to the 
complexity of their operations. They must include board of 
directors' involvement; risk assessment; oversight of service 
providers; personnel training; systems monitoring; breach 
response procedures; and mitigation of incidents. Under these 
guidelines, when a security breach is detected, the financial 
institution must notify law enforcement and its supervisory 
agency or agencies as soon as possible; customers must be 
notified if a reasonable investigation shows that misuse of 
sensitive customer information has occurred or is reasonably 
possible. Measures to control the incident and mitigate its 
consequences must be implemented.
    The security guidelines recommend implementation of a risk-
based response program, including customer notification 
procedures, to address unauthorized access to or use of 
customer information maintained by a financial institution or 
its service provider that could result in substantial harm or 
inconvenience to any customer, and require disclosure of a data 
security breach if the covered entity concludes that ``misuse 
of its information about a customer has occurred or is 
reasonably possible.'' Pursuant to the guidance, substantial 
harm or inconvenience is most likely to result from improper 
access to ``sensitive customer information.''
    Financial institutions must also comply with state data 
security breach notification laws. Retailers and merchants are 
not subject to GLBA or any comparable federal law. Forty-seven 
states, the District of Columbia, Guam, Puerto Rico, and the 
Virgin Islands have laws requiring private or government 
entities to provide notification of data security breaches to 
individuals. The requirements vary by state, but most states 
require notification ``in the most expedient time possible'' or 
``without unreasonable delay.'' Some state laws impose general 
data security standards.

Department of Treasury Recommendations

    The United States currently does not have a national law to 
govern uniform notification standards. In July 2018, the 
Department of Treasury published a report titled the ``A 
Financial System that Creates Economic Opportunities; Nonbank 
Financial, Fintech, and Innovation.'' The report appropriately 
noted the inconsistencies that a fragmented state patchwork 
causes by stating:

          The United States does not have a national law 
        establishing uniform national standards for notifying 
        consumers of data breaches, or for providing them a 
        clear and straightforward mechanism for resolving 
        disputes. In the absence of uniform national standards, 
        states have been aggressive in developing their own 
        data breach notification laws. Each state law may apply 
        to any company located in that state or that does 
        business with residents of that state. In practice, 
        this means that in the event of a data breach companies 
        could be subject to the data breach notification laws 
        of 50 states as well as of the District of Columbia, 
        Puerto Rico, Guam, and the U.S. Virgin Islands. State 
        laws for data breach notification often include 
        specific provisions regarding the number of affected 
        individuals that will trigger notification 
        requirements, the timing of notification, and form of 
        notification, among other requirements. Unsurprisingly, 
        state data breach notification laws are far from 
        uniform. Indeed, they vary in a number of significant 
        ways, including with respect to the most fundamental 
        aspect, namely the scope of data covered under the 
        definition of personal information. Other 
        inconsistencies among states' breach notification laws 
        can make compliance difficult for firms and entail 
        disparate treatment for consumers. The lack of 
        uniformity and efficiency affects both nonfinancial 
        companies and financial institutions.\12\
---------------------------------------------------------------------------
    \12\U.S. Department of Treasury, ``A Financial System that Creates 
Economic Opportunities: Nonbank Financials, Fintech, and Innovation.'' 
(Jul. 2018). Available at https://home.treasury.gov/sites/default/
files/2018-07/A-Financial-System-that-Creates-Economic-Opportunities--
Nonbank-Financi. . . .pdf.

    The Department of Treasury recommends that Congress should 
enact federal standard legislation to protect consumer 
financial data through a technology neutral and scalable 
standard. H.R. 6743 responds to and fulfills the Treasury 
Department's recommendation.

                                Hearings

    The Committee held hearings examining matters relating to 
H.R. 6743 on October 5 and 25, 2017, November 1, 2017, February 
14, 2018, March 7, 2018, and March 15, 2018.

                        Committee Consideration

    The Committee on Financial Services met in open session on 
September 13, 2018, and ordered H.R. 6743 to be reported 
favorably to the House as amended by a recorded vote of 32 yeas 
to 20 nays (recorded vote no. FC-208), a quorum being present. 
Before the motion to report was offered, the Committee adopted 
an amendment in the nature of a substitute offered by Mr. 
Luetkemeyer by voice vote. An amendment in the nature of a 
substitute offered by Ranking Member Waters was not agreed to 
by a recorded vote of 20 yeas to 32 nays (recorded vote no. FC-
207).

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the record votes 
on the motion to report legislation and amendments thereto. An 
amendment in the nature of a substitute offered by Ranking 
Member Waters was not agreed to by a recorded vote of 20 yeas 
to 32 nays (recorded vote no. FC-207). A motion by Chairman 
Hensarling to report the bill favorably to the House as amended 
was agreed to by a recorded vote of 32 yeas to 20 nays 
(recorded vote no. FC-208), a quorum being present.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the findings and recommendations of 
the Committee based on oversight activities under clause 
2(b)(1) of rule X of the Rules of the House of Representatives, 
are incorporated in the descriptive portions of this report.

                    Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, the Committee states that H.R. 6743 
will direct the federal financial regulatory agencies to 
establish standards contained in the 2005 Interagency Guidance 
on Response Programs for Unauthorized Access to Customer 
Information and Customer Notice.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee adopts as its 
own the estimate of new budget authority, entitlement 
authority, or tax expenditures or revenues contained in the 
cost estimate prepared by the Director of the Congressional 
Budget Office pursuant to section 402 of the Congressional 
Budget Act of 1974.

                 Congressional Budget Office Estimates

    Pursuant to clause 3(c)(3) of rule XIII of the Rules of the 
House of Representatives, the following is the cost estimate 
provided by the Congressional Budget Office pursuant to section 
402 of the Congressional Budget Act of 1974:

                                     U.S. Congress,
                               Congressional Budget Office,
                                 Washington, DC, December 20, 2018.
Hon. Jeb Hensarling,
Chairman, Committee on Financial Services,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 6743, the Consumer 
Information Notification Requirement Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Stephen 
Rabent.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 6743--Consumer Information Notification Requirement Act

    H.R. 6743 would require several federal agencies to 
establish standards regarding how financial institutions 
provide notifications of a data breach to customers. Under the 
bill, State insurance authorities would be required to enforce 
those standards.
    Under the bill, the Federal Deposit Insurance Corporation 
(FDIC), the Office of the Comptroller of the Currency (OCC), 
the National Credit Union Administration (NCUA), the Federal 
Reserve, the Securities and Exchange Commission (SEC), and the 
Federal Trade Commission (FTC) would be required to create or 
update their standards for notifying people about a data 
breach. Using information from several of those affected 
agencies, CBO estimates that the costs to implement the bill 
would not be significant for any agency.
    Any spending by the FTC would be subject to the 
availability of appropriated funds. Because the SEC is 
authorized under current law to collect fees sufficient to 
offset its annual appropriation, we estimate that the net costs 
to the SEC would be negligible, assuming appropriation actions 
consistent with that authority.
    Administrative costs incurred by the FDIC, the NCUA, and 
the OCC are recorded in the budget as increases in direct 
spending, but those agencies are authorized to collect premiums 
and fees from insured depository institutions to cover 
administrative expenses. Thus, CBO expects that the net effect 
on direct spending would be negligible. Administrative costs to 
the Federal Reserve are reflected in the federal budget as a 
reduction in remittances to the Treasury (which are recorded in 
the budget as revenues).
    Because enacting H.R. 6743 could affect direct spending and 
revenues, pay-as-you-go procedures apply. However, the net 
effect on direct spending and revenues would not be 
significant.
    CBO estimates that enacting H.R. 6743 would not increase 
net direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    H.R. 6743 would explicitly preempt state and local laws 
that require insurance providers as well as financial 
institutions and their affiliates to notify customers in the 
event of a security breach. All 50 states, the District of 
Columbia, Guam, Puerto Rico, and the Virgin Islands would be 
affected. The bill also would preempt laws in at least 22 
states that have enacted data security laws. These preemptions 
would be a mandate as defined by the Unfunded Mandates Reform 
Act (UMRA).
    The bill also would require state insurance authorities to 
enforce new federal standards that would direct insurance 
agencies and brokerages to notify customers of a data breach. 
That requirement would be a mandate as defined in UMRA.
    H.R. 6743 would impose private-sector mandates by requiring 
financial institutions and their affiliates to comply with new 
standards for data security and breach notifications as 
established by the federal government. Further, if federal 
regulatory agencies increase fees to offset the costs 
associated with implementing the bill, H.R. 6743 would increase 
the cost of an existing mandate on private entities required to 
pay those fees.
    Because the various federal regulatory agencies have yet to 
establish the required data security and breach standards, CBO 
cannot determine if the cost to comply with the bill's 
requirements would exceed the threshold for intergovernmental 
and private-sector mandates established in UMRA ($80 million 
and $160 million in 2018, respectively, adjusted annually for 
inflation).
    The CBO staff contacts for this estimate are Stephen Rabent 
(for federal costs) and Rachel Austin (for mandates). The 
estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant 
Director for Budget Analysis.

                       Federal Mandates Statement

    This information is provided in accordance with section 423 
of the Unfunded Mandates Reform Act of 1995.
    The Committee has determined that the bill does not contain 
Federal mandates on the private sector. The Committee has 
determined that the bill does not impose a Federal 
intergovernmental mandate on State, local, or tribal 
governments.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of the section 
102(b)(3) of the Congressional Accountability Act.

                         Earmark Identification

    With respect to clause 9 of rule XXI of the Rules of the 
House of Representatives, the Committee has carefully reviewed 
the provisions of the bill and states that the provisions of 
the bill do not contain any congressional earmarks, limited tax 
benefits, or limited tariff benefits within the meaning of the 
rule.

                    Duplication of Federal Programs

    In compliance with clause 3(c)(5) of rule XIII of the Rules 
of the House of Representatives, the Committee states that no 
provision of the bill establishes or reauthorizes: (1) a 
program of the Federal Government known to be duplicative of 
another Federal program; (2) a program included in any report 
from the Government Accountability Office to Congress pursuant 
to section 21 of Public Law 111-139; or (3) a program related 
to a program identified in the most recent Catalog of Federal 
Domestic Assistance, published pursuant to the Federal Program 
Information Act (Pub. L. No. 95-220, as amended by Pub. L. No. 
98-169).

                   Disclosure of Directed Rulemaking

    Pursuant to section 3(i) of H. Res. 5, (115th Congress), 
the following statement is made concerning directed rule 
makings: The Committee estimates that the bill requires no 
directed rule makings within the meaning of such section.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    This section cites H.R. 6743 as the ``Consumer Information 
Notification Requirement Act.''

Section 2. Breach notification standards

    This section amends Section 501 of the Gramm-Leach-Bliley 
Act in order to help establish and federal standard on data 
security breach notifications.

Section 3. Preemption with respect to financial institution safeguards

    This section amends Section 507 of the Gramm-Leach-Bliley 
Act to insert a preemptive requirement over state law.

         Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

                         GRAMM-LEACH-BLILEY ACT




           *       *       *       *       *       *       *
                            TITLE V--PRIVACY

        Subtitle A--Disclosure of Nonpublic Personal Information

SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.

  (a) Privacy Obligation Policy.--It is the policy of the 
Congress that each financial institution has an affirmative and 
continuing obligation to respect the privacy of its customers 
and to protect the security and confidentiality of those 
customers' nonpublic personal information.
  (b) Financial Institutions Safeguards.--In furtherance of the 
policy in subsection (a), each agency or authority described in 
section 505(a), other than the Bureau of Consumer Financial 
Protection, shall establish appropriate standards for the 
financial institutions subject to their jurisdiction relating 
to administrative, technical, and physical safeguards--
          (1) to insure the security and confidentiality of 
        customer records and information;
          (2) to protect against any anticipated threats or 
        hazards to the security or integrity of such records; 
        and
          (3) to protect against unauthorized access to or use 
        of such records or information which could result in 
        substantial harm or inconvenience to any customer[.], 
        including through the provision of a breach notice in 
        the event of unauthorized access that is reasonably 
        likely to result in identity theft, fraud, or economic 
        loss.
  (c) Standards With Respect to Breach Notification.--Subject 
to section 504(a)(2) and sections 505(b) and 505(c), within 6 
months after the date of enactment of this subsection, each 
agency or authority required to establish standards described 
under subsection (b)(3) with respect to the provision of a 
breach notice shall ensure that such standards are in 
compliance with subsection (b).
  (d) Insurance.--
          (1) Enforcement.--Notwithstanding section 505(a)(6), 
        with respect to an entity engaged in providing 
        insurance, the standards under subsection (b) shall be 
        enforced--
                  (A) with respect to any such standards 
                related to data security safeguards, by--
                          (i) the State insurance authority of 
                        the State in which the entity is 
                        domiciled; or
                          (ii) in the case of an insurance 
                        agency or brokerage, the State 
                        insurance authority of the State in 
                        which such agency or brokerage has its 
                        principal place of business; and
                  (B) with respect to any such standards 
                related to notification of the breach of data 
                security, by the State insurance authority of 
                any State in which customers of the entity are 
                affected by such a breach of data security.
          (2) Notification by assuming insurer.--
                  (A) In general.--Notwithstanding subsection 
                (b), an assuming insurer that experiences a 
                breach of data security shall only be required 
                to notify the State insurance authority of the 
                State in which the assuming insurer is 
                domiciled.
                  (B) Assuming insurer defined.--For purposes 
                of this paragraph, the term ``assuming 
                insurer'' means an entity engaged in providing 
                insurance that acquires an insurance obligation 
                or risk from another entity engaged in 
                providing insurance pursuant to a reinsurance 
                agreement.
          (3) Safeguards for insurance customers.--In carrying 
        out subsection (b) with respect to an entity engaged in 
        providing insurance, a State insurance authority shall 
        establish the standards for safeguarding customer 
        information maintained by entities engaged in 
        activities described in section 4(k)(4)(B) of the Bank 
        Holding Company Act of 1956 (12 U.S.C. 
        1843(4)(k)(4)(B)) that are the same as the standards 
        contained in the interagency guidelines issued by the 
        Comptroller of the Currency, the Board of Governors of 
        the Federal Reserve Board, the Federal Deposit 
        Insurance Corporation, and the Office of Thrift 
        Supervision titled ``Interagency Guidelines 
        Establishing Standards for Safeguarding Customer 
        Information'', published February 1, 2001 (66 Fed. Reg. 
        8633), and such standards shall be applied as if the 
        entity engaged in providing insurance was a bank to the 
        extent appropriate and practicable.

           *       *       *       *       *       *       *


[SEC. 507. RELATION TO STATE LAWS.

  [(a) In General.--This subtitle and the amendments made by 
this subtitle shall not be construed as superseding, altering, 
or affecting any statute, regulation, order, or interpretation 
in effect in any State, except to the extent that such statute, 
regulation, order, or interpretation is inconsistent with the 
provisions of this subtitle, and then only to the extent of the 
inconsistency.
  [(b) Greater Protection Under State Law.--For purposes of 
this section, a State statute, regulation, order, or 
interpretation is not inconsistent with the provisions of this 
subtitle if the protection such statute, regulation, order, or 
interpretation affords any person is greater than the 
protection provided under this subtitle and the amendments made 
by this subtitle, as determined by the Bureau of Consumer 
Financial Protection, after consultation with the agency or 
authority with jurisdiction under section 505(a) of either the 
person that initiated the complaint or that is the subject of 
the complaint, on its own motion or upon the petition of any 
interested party.]

SEC. 507. RELATION TO STATE LAWS.

  (a) In General.--This subtitle preempts any law, rule, 
regulation, requirement, standard, or other provision having 
the force and effect of law of any State, or political 
subdivision of a State, with respect to a financial institution 
or affiliate thereof securing personal information from 
unauthorized access or acquisition, including notification of 
unauthorized access or acquisition of data.
  (b) Insurance.--Subsection (a) shall not prevent a State or 
political subdivision of a State from establishing the 
standards for entities engaged in providing insurance required 
by sections 501(c) and 501(d), provided the standards 
established by such State or political subdivision do not 
impose any requirement that is in addition to or different from 
those standards, except where necessary to effectuate the 
purposes of this subtitle.

           *       *       *       *       *       *       *


                             MINORITY VIEWS

    One year after the Equifax data breach exposed more than 
145 million Americans' personal information, H.R. 6743 would 
reduce the privacy, confidentiality, and security of American 
consumers' nonpublic personal information.
    H.R. 6743 would put consumers at risk by broadly preempting 
state law. The bill's Federal preemption would prohibit state 
Attorneys General from enforcing their own laws against 
financial institutions that lost their customers' personal, 
non-public information, and prevent states from applying more 
stringent protections for their state residents. Thirty-two 
state Attorneys General warned about the danger of including 
sweeping Federal preemption in any Federal data security 
legislation, noting that:

          ``States have proven themselves to be active, agile, 
        and experienced enforcers of their consumers' data 
        security and privacy. With the increasing threat and 
        ever--evolving nature of data security risks, the state 
        consumer protection laws that our Offices enforce 
        provide vital flexibility and a vehicle by which the 
        States can rapidly and effectively respond to protect 
        their consumers. . . . Congress should not preempt 
        state data security and breach notification laws.''\1\
---------------------------------------------------------------------------
    \1\http://www.illinoisattorneygeneral.gov/pressroom/2018_03/
20180319b.html and http://www.illinoisattorneygeneral.gov/pressroom/
2018_03/Committee_Leaders_letter.pdf.

    The Federal preemption provisions in H.R. 6743 go far 
beyond the existing provisions in the Gramm Leach Bliley Act 
related to the privacy and security of a financial 
institution's customers' nonpublic personal information. 
Instead, the bill would prohibit states from enacting and 
enforcing laws relating to financial institutions and all of 
their affiliates with respect to securing any personal 
information from an unauthorized breach. Thus, while proponents 
of the bill claim that it would help enhance data security, it 
would significantly reduce, and not strengthen, the privacy, 
confidentiality, and security of American consumers' nonpublic 
personal information.
    A number of state officials, as well as state and national 
consumer, civil rights, civil liberties, privacy organizations 
echoed these concerns in their strong opposition to the bill, 
including the National Governors Association (``NGA''),\2\ 
National Association of Insurance Commissioners (``NAIC''),\3\ 
Conference of State Bank Supervisors (``CSBS''),\4\ Consumers 
Union, U.S. PIRG, Americans for Financial Reform (``AFR''), 
Public Citizen, NAACP, National Network to End Domestic 
Violence, and Patient Privacy Rights.\5\
---------------------------------------------------------------------------
    \2\https://www.nga.org/news/nga-urges-the-house-financial-services-
committee-to-oppose-the-consumer-information-notification-requirement-
act/.
    \3\https//www.naic.org/documents/
government_relations_180912_hr6743_consumer_information_notification_req
_letter.pdf.
    \4\https://www.csbs.org/csbs-opposes-hr-6743-consumer-information-
notification-requirement-act.
    \5\See https://uspirg.org/resources/usp/group-letter-opposing-
equifax-protection-act-hr6743-luetkemeyer-prevents-state-data, https://
uspirg.org/blogs/eds-blog/usp/latest-trojan-horse-data-breach-bill-
hr6743-luetkemeyer-could-be-called-equifax, and https://uspirg.org/
blogs/blog/usp/32-state-attorneys-general-congress-dont-replace-our-
stronger-privacy-laws.
---------------------------------------------------------------------------
    NGA, for example, underscored that the bill ``would 
prohibit states from imposing or enforcing any strong consumer 
protection standards that go above and beyond Federal 
standards, thereby inhibiting ongoing efforts by states to 
adopt data security laws and regulations that are in the best 
interest of consumers.''
    State insurance regulators voiced similar concerns, noting 
in their opposition letter, that the bill ``assigns enforcement 
of its Federal data security requirements to an insurer's state 
of domicile, which may be far removed from the location of 
consumers who are harmed by a data breach. . . . It is 
fundamentally at odds with the state-based regulatory regime, 
which recognizes that those insurance regulators that have 
expertise and experience with a local insurance market are best 
positioned to protect a state's insurance consumers.''
    The CSBS also stated, ``State regulators firmly oppose H.R. 
6743 for its attempt to preempt state data breach and privacy 
laws. States have demonstrated their ability to spot emerging 
risks early and to act with agility in responding to those 
risks.''
    Unfortunately, an amendment offered by Ranking Member 
Waters to repeal the harmful Federal preemption provision in 
the bill was rejected on a party-line vote. Therefore, we 
oppose H.R. 6743, which would gut states' discretion and 
ability to protect their residents.

                                   Maxine Waters.
                                   Carolyn B. Maloney.
                                   Nydia M. Velazquez.
                                   Wm. Lacy Clay.
                                   Michael E. Capuano.
                                   Charlie Crist.

                                  [all]