Data Security Bill Would Have States Police Insurers

The National Association of Mutual Insurance Companies said it would support the bill, which it called "a reasonable attempt to address consumers' concerns about identity theft in a way that reflects the practicality of business operations."

NAMIC also said it supported state enforcement authority, while the Property Casualty Insurers Association of America lobbied for oversight of insurance companies through the Federal Trade Commission.

The American Council of Life Insurers said it would prefer uniform enforcement through the Treasury Department. "Minus that, we would support uniform, effective enforcement through state regulation," according to Whit Cornman, a staff official.

The three groups also differ on the broader issue of how the insurance industry should be regulated going forward. The ACLI, for example, has been lobbying heavily for legislation that would create an optional federal charter, with enforcement through a subagency housed within the Treasury Department.

Data security is becoming a priority in Congress, especially since the records of several credit card processing companies were breached this summer.

The data security bill, titled the "Financial Data Protection Act of 2005," would prevent data breaches by mandating a strong national standard for the protection of sensitive consumer information.

It would require institutions to notify consumers that their information has been compromised and could be used by identity thieves. It would also require institutions to provide consumers with a free six-month nationwide credit monitoring service upon notification of a breach.

David Winston, NAMIC senior vice president for federal affairs, said the bill is supportable because it requires notice to consumers only if it is determined that the breached information "is reasonably likely to be misused."

"This is an important qualifier because there are many breaches that do not present such a risk, and requiring disclosure of all breaches would overwhelm businesses and likely produce such frequent consumer notices that consumers would just throw them away," Mr. Winston said.

Other provisions that make the bill supportable for small insurers include the mandate that it will be enforced by an institution's functional regulator.

"In the case of insurers, this would mean the regulator in the state of domiciliary," Mr. Winston said. "This is very important as the enforcer could have been the Treasury Department or the Federal Trade Commission."

The Property Casualty Insurers Association of America had pushed for enforcement through the FTC, a staff official confirmed.

Scott Duncan, a staff official in PCI's Washington office, said that PCI "strongly" supports the bill because "it represents a common sense compromise that will both protect consumers and ensure the continued functionality of insurance markets."

"It leaves regulatory authority to the states but gives multistate companies the
ability to comply with one set of regulations without creating a new federal bureaucracy," Mr. Duncan said.

"PCI is in favor of strong data protection standards," he said. "This legislation will provide consumers with strong protections while ensuring the continuing vitality and effectiveness of the state insurance regulatory system."

The bill also provides a safe harbor from lawsuits, if reasonable policies and procedures are in place and mitigation services such as credit monitoring are provided, Mr. Winston said.

Under the bill, a breached organization would be required to provide consumers, free of charge, a service that monitors consumer credit files so they will be informed if attempts are made to open new lines of credit in their name.

The bill was introduced by several members of the House Financial Services Committee, including Reps. Steve LaTourette, R-Ohio; Darlene Hooley, D-Ore.; Michael Castle, R-Del.; Dennis Moore, D-Kan.; and Deborah Pryce, R-Ohio, chairman of the committee's Domestic and International Monetary Policy Subcommittee.

Flag: What The Bill Says

A bill introduced in the House of Representatives last week to safeguard sensitive consumer information would:

o Require institutions to notify consumers that their information has been compromised and could be used by identity thieves, in the event of a data breach in which information is reasonably likely to be misused.

o Require institutions to provide consumers with a free six-month nationwide credit monitoring service upon notification of a breach.

o Mandate that state insurance regulators enforce uniform national standards for notifying consumers about breaches and bar states from imposing their own standards.

o Provide a safe harbor from lawsuits, if institutions have reasonable policies and procedures are in place and mitigation services such as credit monitoring.

o Require a breached organization to provide consumers a service that monitors credit files, free of charge, so they will be informed if attempts are made to open new lines of credit in their name.