WASHINGTON — State legislatures around the country have aimed to ease the impact of various data privacy and cybersecurity laws on banks, but some analysts say exemptions for institutions subject to federal law may not go far enough.
Unlike other types of companies, banks are already subject to certain data security requirements under the Gramm-Leach-Bliley Act of 1999. As a result, virtually all the legislative proposals considered by states to fill data security and privacy gaps contain some kind of exemption for financial institutions.
But as new bills from state legislatures continue to pile up with the goal of improving consumer protections, many of them have differing approaches to establishing carve-outs for financial institutions subject to the 1999 law. Industry representatives worry that the lack of a uniform framework means banks will still have to put forth significant compliance effort.
“If we end up with significantly inconsistent legislation from the states, we put banks at risk of completely revamping their privacy programs not for consumer interest, but for the sake of compliance,” said Amy Mushahwar, a partner at Alston & Bird. “That would be a detriment.”
Since 2018, lawmakers in roughly half of all U.S. states have at least considered legislation creating a new data security or privacy frameworks, including a handful with bills that have become law. In 22 states, lawmakers have debated actual bills, while in others officials have created task forces to explore legislation, according to analysis from the
While many of the proposals share common requirements and exemptions, none are identical. Analysts say that even the smallest discrepancies will have ripple effects for banks.
"States are moving very quickly. A dozen states in the last 12 months have introduced privacy legislation. A lot is similar but not identical, and some are radically different," said Amanda Lawrence, a partner at Buckley.
A central question is how state governments will try to address the already substantial data privacy requirements that banks face under federal law.
Gramm-Leach-Bliley included safeguards at banks that correspond with bills that many legislatures are considering or have already passed, including a requirement for financial institutions to explain to customers how their data is used and the right for customers to opt out of having their personal information shared with third parties.
Nearly all state privacy and data security bills now under consideration recognize the need to exempt financial institutions from redundant layers of compliance. But the states have not taken a uniform approach to defining such exemptions.
For example, Nevada’s privacy law enacted in May of last year exempted financial institutions from new requirements at the entity level, meaning that any bank subject to the requirements of Gramm-Leach-Bliley would be exempt from the new law.
But in California, lawmakers took a different tack by structuring exemptions at the data level. That means the financial data governed by Gramm-Leach-Bliley would be exempt from new state rules, but a bank’s non-financial data — like data used for marketing purposes or sent to affiliates — would still fall under a state’s new requirements.
Some analysts say that that kind of distinction might make sense in theory, but in practice not all banks separate their consumer data into financial and non-financial categories.
“What happens when a company has data that it uses for multiple purposes, and some data is exempt but not all of it?” Lawrence said. “It creates an internal, dual framework within companies based on the laws of individual states.”
But others say that even if banks have to make some changes resulting from new data security frameworks created at the state level, their compliance requirements will likely be minor compared with those of other industries that have avoided privacy and data security standards.
“A lot of these laws won’t have a huge impact on bank practices, because banks are used to dealing with this kind of regulation. If they were sharing data or selling ads with user permission, this would be a much bigger issue,” said Rahul Telang, professor of information systems at Carnegie Mellon University.
“Banks are already complying with a lot of the ideas that are being proposed,” he said. “Most of the things the new regulation is after, banks are already on top of.”
Most states mulling privacy law today appear keen to follow California’s lead and exempt the data governed by Gramm-Leach-Bliley.
Pending proposals in Illinois, New York and Washington state are using similar data-level exemptions. Legislative proposals in Maryland, Mississippi, New Mexico and Virginia also tried the data-level approach, but those efforts failed.
Besides the law passed in Nevada, only the bills pending in Florida and Nebraska exempt financial institutions at the entity level.
If a bank operates solely in states where exemptions are organized at the entity level, analysts say its day-to-day operations may not change much, if at all.
But data-level exemptions can be particularly problematic in bills that grant consumers new rights for managing their personal data held by organizations, such as marketing data and other nonfinancial data not governed by Gramm-Leach-Bliley.
Bills to expand consumer access to personal data have been introduced in California, Illinois, Minnesota, New York and other states.
Similarly, under Gramm-Leach-Bliley there is no right for consumers to fix their personal data if they believe the information a company has is incorrect or somehow misleading. Bills proposed in New York, Washington and Illinois would grant them that right.
"It's important to have these exemptions at the entity level in as many states as possible. It keeps the programs consistent," Mushahwar said. "Banks shouldn't be spending valuable resources on overlaying levels of state compliance that will add a significant amount of operational difficulty without getting much more data to the consumer."
Another concern for banks from state privacy legislation is a "private right to action," which allow consumers to mount both individual and class action lawsuits against a company when a state’s data privacy laws are broken.
To date, only California has passed legislation with a private right to action, though the provision is fairly limited and not yet being enforced while the California attorney general’s office mulls regulation to clarify key components of the statute. Yet bills in Illinois, New Hampshire, New York and South Carolina also would include a private right to action.
Some analysts say that legislation with a private right to action could upend consumer law because of the sheer volume of data breaches. If individual and class action lawsuits become commonplace in the aftermath of a data breach, some financial analysts warn that the consumer litigation could pull resources from a bank’s other operations.
“Banks want to spend their money improving security programs,” Mushahwar said. “If we add in millions if not billions of dollars in consumer protection lawsuits, that’s going to directly take away from consumer services and spending on security.”
Experts also express concern about a provision in the New York Privacy Act, unveiled in June, that would make companies operating in the state "data fiduciaries."
“The implications of a fiduciary duty are huge,” Lawrence said. “In some of the legislation that has been proposed, the fiduciary duty a company has to protect consumer data trumps any other duty, including its duty to shareholders.”
So far, New York has been the only state to propose such a measure, and it’s unclear what the prospects of the bill will be in the state’s 2020 legislative session. But the idea has also appeared at the federal level, namely with the Data Care Act introduced by Sen. Brian Schatz, D-Hawaii, in late 2018.
“That could very well change the decisions companies make about the types of products and services they offer and potentially could stifle innovation,” Lawrence said.