Payment Industry Urges Congressional Action on Breach Bills

By Kery Murakami

Sept. 17 — Payment industry executives pressed for action on a national breach notification standard in closed-door meetings with key House and Senate members Sept. 17 as the legislation's prospects in Congress remain uncertain this year.

A single standard for informing consumers about hacks would be easier to follow than the cacophony of laws in 47 states they now face, iPayment, Inc. President Greg Cohen told Bloomberg BNA, before payment executives were due to meet with lawmakers in both chambers.

“No matter what we do as an industry on data protection, breaches occasionally happen,” said Cohen, president-elect of the Electronic Transactions Association, which organized the lobbying effort. “One of the challenges we have in working with a merchant after a breach, is that with 47 state laws, it’s especially challenging figuring out what’s required to be done,” he said.

The payment executives also pushed lawmakers to pass the Cybersecurity Information Sharing Act (S.754), which encourages companies to share information with each other and the government on cyberattacks by shielding them from lawsuits stemming from the disclosure. Responding to critics' concerns that private information could end up being held by the government, Cohen said there is a greater risk of private information ending up in unwanted hands of hackers, which the CISA is intended to prevent. The U.S. Chamber of Commerce, the United States Telecom Association and other industry groups have also been pushing for CISA's passage, but it's uncertain whether it would come to a vote.

“Combatting cyber-theft is a relentless battle,” Jonathan Genovese, director of regulatory compliance and government affairs at the payment processor Vantiv, said in a Sept. 17 e-mail to Bloomberg BNA. “Without the appropriate framework for private enterprise, government cooperation, it's like fighting with one arm tied behind your back.”

House and Senate pre-emption bills on security and notification have drawn the opposition of consumer groups and state attorneys general, who argue the requirements for protecting data and notifying customers would be weakened in states with particularly tough regulations. Financial services lobbyists have expressed doubts that Congress will find room on its packed agenda to consider the bills this year.

Neugebauer: Congress Has Time

But H.R. 2205 sponsor, Rep. Randy Neugebauer (R-Texas), told Bloomberg BNA after a National Association of Federal Credit Unions event Sept. 17 that Congress will have time to take up the issue after dealing with the federal budget and a controversial highways bill. “There’s still a lot of time left in the 114th Congress,” he said. Neugebauer, chairman of the House Financial Services Subcommittee on Financial Institutions and Consumer Credit, said in a statement Sept. 17 that he will not be seeking re-election in 2016.

Neugebauer said at the event that a single standard on data security was needed to “secure every part of the payment chain” because hackers would exploit any weak link.

Banking and other groups have complained that its unfair retailers and other industries do not have the similar anti-breach regulations as do financial institutions under the Gramm-Leach-Bliley Act.

Neugebauer told Bloomberg BNA the array of state notification laws, involving requirements on how soon and what information needs to be given to consumers, are too unwieldy for companies to follow and should be replaced with a single national standard.

The companies “have been managing to deal with disparate state laws in this regard for years,” Susan Grant, the Consumer Federation of America’s consumer protection and privacy director and an opponent of the preemption bills, said in a Sept. 17 e-mail.

The current notification system “is a complex patchwork of various state laws with varying and sometimes conflicting requirements,” Genovese said. “A federal standard will bring certainty and consistency to the process so that businesses clearly understand their obligations and consumers have a better understanding of what they can expect.”

Cohen said the varying notification requirements are so cumbersome that companies need to hire consultants to understand the different requirements. Errors are still made, he said.

“You could send a letter with information the state of Kentucky requires to someone in Virginia. Or you could send a letter based on the time Maryland gives you, when the state where you’re sending the letter gives you 10 days shorter,” he said.

To contact the reporter on this story: Kery Murakami in Washington at

To contact the editor responsible for this story: Seth Stern at