A national data breach notification standard moved one step closer to reality on Wednesday after the House Energy and Commerce Committee passed a bill along party lines. Though the long-sought after federal legislation next moves to a full House vote, it no longer has the bipartisan support it had before yesterday as the bill’s co-sponsor voted against it.
The Data Security and Notification Act (H.R. 1770) passed the committee 29-20, strictly along partisan lines, and would establish a uniform and narrow standard for data security obligations and breach notification. Under the proposed legislation, businesses would have to notify affected consumers within 30 days only if the breach results in financial harm. This bill would also preempt many more stringent state data security laws—particularly in Massachusetts and California. Instead, businesses would need to take “reasonable measures and practices” to secure personally identifiable information.
Co-sponsor Marsha Blackburn (R-TN) says the bill will get rid of the patchwork of dozens of state laws, making it easier for businesses to comply with one, narrowly defined national standard. Prior to Wednesday’s markup, Blackburn lauded the bill’s data security aspects to The Washington Post, saying, “Every American deserves to have their personal information protected, but right now only 12 states have data security requirements,” adding, “We want to provide strong protections to everyone, and we go even further than most of the states that do have security laws.”
But Democrats and several privacy advocates are concerned the bill will actually weaken privacy protections for consumers. Ranking member Rep. Frank Mallone (D-NJ) said the legislation is “deeply flawed” while adding, “I am very concerned … I just think that this is moving much too quickly. There are a lot of changes that I think need to be made.” Pallone said his biggest concern is the bill’s preemption of stronger state standards.
During Wednesday’s markup, Democrats offered a number of amendments to strengthen consumer privacy protections in the bill, but all were voted down. According to BankInfoSecurity, some of the amendments would have toughened data security requirements and would have allowed state attorneys general and citizens to take legal actions for businesses that failed to do so. Another amendment would have required notification without the financial harm trigger.
Rep. Bobby Rush (D-IL) put forth one amendment that would have expanded the definition of personally identifiable information to cover emails, health information as well as geolocation information. The amendment would also have taken out the financial harm trigger, limited state preemption and allowed for enforcement by state attorneys general.
One amendment that did pass, however, to the objection of the Democrats, was an amendment that would lower the cap on financial penalties for each failed consumer notification from $11,000 to $1,000.
Laura Moy, a technology policy lawyer at New America’s Open Technology Institute (OTI), said the bill will harm consumer privacy protection by preempting stronger state laws and by shifting some enforcement authority from the U.S. Federal Communications Commission (FCC) to the U.S. Federal Trade Commission (FTC).
Speaking for the OTI, Moy said, “We are extremely disappointed to see the committee advance a bill that is weaker than the data security and breach notification standards that consumers currently enjoy under stronger state laws and existing federal law, which this bill would preempt.” She said that the OTI is not opposed to a federal standard, but such a standard “shouldn’t be weaker than the status quo.”
Moy said the new bill, had it been in effect, would have prevented the FCC from fining AT&T $25 million for an internal privacy breach. She explained the legislation would “prevent the (FCC) from continuing its strong enforcement of data security and breach notification standards against telecommunications providers …”
Under the current regime, telecommunications providers (and once the new net neutrality order takes effect, Internet providers as well) must notify consumers—regardless of financial harm—if their personal data has been breached and is enforced by the FCC. However, the new bill would shift such authority to the FTC and potentially undercut data security requirements mandated by the FCC, according to Moy.
Though he did not vote for the bill he co-sponsored, Rep. Peter Welch (D-VT) is still optimistic a good bill will pass. “I felt very good about the hearing,” he said, “and I think we can fix it.”
Others are optimistic about the future of a federal breach standard as well. DLA Piper Partner Jim Halpert told Privacy Tracker that the “House bill will certainly pass.” He cautioned though that the finer details will be hammered out in the U.S. Senate. “The Senate has been the graveyard of federal breach notices for the past 10 years,” said Halpert. “But this year could be different. The Senate Judiciary Committee has thus far not expressed interest in entering the usual Senate committee jurisdiction scrum over data breach legislation.”
Halpert also noted that Sens. Tom Carper (D-DE) and Roy Blunt (R-MO) are currently drafting a bi-partisan bill “that might be able to garner 60 votes to pass the Senate.”
In the meantime, House leaders, according to The Hill, will next focus on cyber-related bills, but there is a chance the Blackburn-Welch bill could get a floor vote in the House.
For those interested in hearing Wednesday's full mark up of H.R. 1770, here's the video:
If you want to comment on this post, you need to login.