Legislative battles are being predicted for next year in Congress and in the states, triggered by the impending expiration of a provision of the Fair Credit Reporting Act (FCRA) that blocks states from imposing their own data privacy rules.
Once that exemption expires in early 2004, states will be free to set privacy rules that exceed federal standards. The states, for instance, could limit affiliate sharing of customer data - a serious threat to financial services firms that often set different lines of businesses as affiliates, entities that exist only on paper. Systems that now freely exchange information may need to be significantly redesigned.
"There is a gathering storm," said Michael Beresik, who heads PricewaterhouseCoopers' national privacy practice. He sees the expiration of the FRCA preemption provision as the vehicle leading to much larger debate on financial privacy, including a revisiting of the privacy provisions in the Gramm-Leach-Bliley Act.
The threat that states could impose their own more stringent rules is a real fear. According to the National Business Coalition on E-Commerce and Privacy, a Washington-based group that represents large financial services firms and retailers, 548 privacy bills were introduced in state legislatures this year. Some have already been enacted: San Mateo County in California recently set restrictions on data sharing and is now facing a court battle with the state's large banks, while North Dakota residents recently voted for restrictions.
"State legislatures are becoming more and more aggressive every year in terms of going their own way on privacy," Beresik said at the conference, sponsored by Ohio State University's Technology Policy Group.
To survive and keep the federal preemption in place, Kirk Hearth, chief privacy officer at Nationwide Financial Services in Ohio said he believes "financial services industries are going to be forced to compromise very strongly" in Congress.
However, financial service firms are not the only companies facing trouble. While Congress is not expected to pass a broad, commercial privacy bill this year, next year has potential. "A lot of the developments this session will be the launching point for what happens next session," said Stuart Ingis, an attorney at Piper Rudnick in Washington.
Bills in the US House and Senate could impose a number of requirements on companies regarding the use of data and customer consent. Both would restrict a state's ability to adopt its own rules to some extent.
These bills could impose a number of practices on IT. The leading privacy bill in the House, the Consumer Privacy Protection Act stands a good chance of winning backing by the House Committee on Energy and Commerce. It would require companies to participate in some kind of threat-warning service and to have a written security policy that has the knowledge of a company's top executive.
The Bush administration has generally opposed requiring companies to take specific action, although it is seeking comment during the next months on its cybersecurity protection draft proposal, which examines some of those issues.
Andy Purdy, senior adviser on the president's Critical Infrastructure Protection Board, said that his personal reaction "is that it is probably not too much to ask that CEOs and boards and directors are aware" of their company's security or privacy policies.
But while the White House would also recommend independent audits on a periodic basis, "I'm not suggesting that we require it," said Purdy.