As ordered reported by the House Committee on Financial Services on September 13, 2018
H.R. 6743 would require several federal agencies to establish standards regarding how financial institutions provide notifications of a data breach to customers. Under the bill, State insurance authorities would be required to enforce those standards.
Under the bill, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the National Credit Union Administration (NCUA), the Federal Reserve, the Securities and Exchange Commission (SEC), and the Federal Trade Commission (FTC) would be required to create or update their standards for notifying people about a data breach. Using information from several of those affected agencies, CBO estimates that the costs to implement the bill would not be significant for any agency.
Any spending by the FTC would be subject to the availability of appropriated funds. Because the SEC is authorized under current law to collect fees sufficient to offset its annual appropriation, we estimate that the net costs to the SEC would be negligible, assuming appropriation actions consistent with that authority
Administrative costs incurred by the FDIC, the NCUA, and the OCC are recorded in the budget as increases in direct spending, but those agencies are authorized to collect premiums and fees from insured depository institutions to cover administrative expenses. Thus, CBO expects that the net effect on direct spending would be negligible. Administrative costs to the Federal Reserve are reflected in the federal budget as a reduction in remittances to the Treasury (which are recorded in the budget as revenues).
Because enacting H.R. 6743 could affect direct spending and revenues, pay-as-you-go procedures apply. However, the net effect on direct spending and revenues would not be significant.
CBO estimates that enacting H.R. 6743 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029.
H.R. 6743 would explicitly preempt state and local laws that require insurance providers as well as financial institutions and their affiliates to notify customers in the event of a security breach. All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands would be affected. The bill also would preempt laws in at least 22 states that have enacted data security laws. These preemptions would be a mandate as defined by the Unfunded Mandates Reform Act (UMRA).
The bill also would require state insurance authorities to enforce new federal standards that would direct insurance agencies and brokerages to notify customers of a data breach. That requirement would be a mandate as defined in UMRA.
H.R. 6743 would impose private-sector mandates by requiring financial institutions and their affiliates to comply with new standards for data security and breach notifications as established by the federal government. Further, if federal regulatory agencies increase fees to offset the costs associated with implementing the bill, H.R. 6743 would increase the cost of an existing mandate on private entities required to pay those fees.
Because the various federal regulatory agencies have yet to establish the required data security and breach standards, CBO cannot determine if the cost to comply with the bill’s requirements would exceed the threshold for intergovernmental and private-sector mandates established in UMRA ($80 million and $160 million in 2018, respectively, adjusted annually for inflation).