Earlier this year, Senate Banking Committee Chair Sen. Mike Crapo (R-ID) teamed up with Committee ranking member Sherrod Brown (D-OH) to request feedback from interested parties on the privacy, protection, and collection of sensitive information by financial regulators and private companies. In the leaders’ statement accompanying the solicitation, they cited the Equifax breach as an example of the need for Congress to make it easier for consumers to protect their personal information. They also announced in the statement that the “collection and use of personally identifiable information will be a major focus of the Banking Committee moving forward” and expressed their hope that the information gathered could inform potential legislation proposed in the 116th Congress.

Responses were compiled here, and PIA National’s feedback is available here. Specifically, we noted that many of our members are already subject to state-specific versions of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law created in October 2017, and subsequently passed in South Carolina, Ohio, and Michigan (and, since then, Mississippi).

We urged Congress to permit this issue to continue to be regulated at the state rather than the federal level. State legislators and regulators will always have a more thorough understanding of local insurance issues than federal lawmakers. Insurance agents’ and their agencies’ available resources vary greatly across the country; the biggest benefit of having this issue regulated at the state or local level is the degree of understanding and flexibility each state has thus far been willing to demonstrate to the agents doing business in that state.

We continue to support flexible, risk-based proposals that recognize the risks to consumers and to independent agencies if a breach were to occur. For that reason, we encourage Congress to limit its involvement to the passage of a bill that protects sensitive consumer data using a harm trigger and other methods that are flexible, risk-based, and practical for small businesses. Any federal law should set a few parameters and remain sufficiently broad to allow states to fill in the details as appropriate.

PIA National also shared its many concerns regarding the treatment of agents’ relationships with third-party service providers. Small businesses, out of necessity, frequently enter into what are known as contracts of adhesion. Large companies serving as Third-Party Service Providers are going to be reticent to change their cybersecurity practices to reflect compliance with a law that applies only to some small businesses with which they interact. Small businesses rarely have the luxury of negotiating the details of their relationships with relatively large Third-Party Service Providers. Therefore, many small businesses will be subjected to whatever cybersecurity practices the Third- Party Service Provider already offers, whether those practices meet the standards set forth by the federal government. PIA National is also concerned that a federal law will impose unrealistic burdens on small business owners like those that own independent insurance agencies.

We’re looking forward to continuing to work with the staff and members on the Senate Banking Committee on the important issue of data security.