On December 9, 2015, the House Financial Services Committee reported a Bill to Congress that would impact the cybersecurity compliance of financial services companies. The Bill, H.R. 2205, would set standards for development and implementation of cybersecurity protocols; require investigation and notification of breaches; and allow administrative enforcement.
One of the most important aspects of H.R. 2205 is its structure of cybersecurity protocols. The Bill would require covered entities (essentially, entities with access to financial account information and personally identifiable information (PII)) to “develop, implement, and maintain  comprehensive information security program[s]” to protect the security and confidentiality of financial account information and PII. H.R. 2205 Sec. 4(a)(1). Like other cybersecurity frameworks, H.R. 2205 requires covered entities to conduct self-evaluations to determine what protocols are necessary given their “size and complexity,” “nature and scope of activities,” and type of information held. Id. (a)(3). H.R. 2205 would require each covered entity to designate a program coordinator, identify “reasonably foreseeable external risks,” and oversight over third-party service providers. Id. (a)(4). The Bill also includes a list of potential security measures that each covered entity is to consider for implementation including access controls and restrictions, encryption, quality assurance and quality control protocols and monitoring systems. Id. (a)(5).
Aside from the security protocols, H.R. 2205 would require investigation of security breaches and notification under certain circumstances. In circumstances where a covered entity determines it has suffered a breach, it would be required to notify “an appropriate Federal law enforcement agency,” the overseeing federal agency, card payment networks, consumer reporting agencies, and affected consumers. Id. (c)(1)(A). The structure of the Bill would require covered entities to contact the federal law enforcement agency first, as the H.R. 2205 allows the law enforcement agency to request a delay of customer notification. Id. (c)(2).
H.R. 2205 would also permit financial institutions to provide notice of a breach to account holders even in certain where the financial institution itself did not suffer a breach, but a service provide with access to account information does. Subsection (e)(3) provides that where a “covered entity that is not a financial institution experiences a breach of security involving sensitive financial account information,” the issuing financial institution may notify the affected account holders that the breach took place and that the financial institution itself was not breached. It would also allow the financial institution to identify the covered entity whose security was breached.
Aside from these provisions, H.R. 2205 includes a handful of other noteworthy items. First, the Bill would provide administrative enforcement under different acts based on the size of the particular covered entity. For example, the OCC would have enforcement authority as to national banks under the Federal Deposit Insurance Act. Id. Sec. 5. Second, H.R. 2205 excludes from its definition of “breach of data security” “unauthorized acquisition of sensitive financial account information or sensitive personal information that is encrypted, redacted, or otherwise protected by another method that renders the information unreadable and unusable if the encryption, redaction, or protection process or key is not also acquired without authorization.” Id. Sec. 3(3)(b). Finally, as drafted, H.R. 2205 would supersede certain state laws related to protection of consumer information, investigation of breaches, and mitigation of harm stemming from breaches. Id. Sec. 6.