A House commerce subcommittee passed a data breach bill on a voice vote and moved the draft to the full House energy and commerce committee. The committee staff bill is scheduled to be taken up by full committee later this spring.
Data breaches have been a near daily occurrence for consumers and companies. Millions have had their personal information compromised in such high profile breaches as the ones at Target and Home Depot.
While the Data Security and Breach Notification Act won’t eliminate breaches, it would provide consumers better notice by setting a national standard for how companies and organizations protect consumer data. It pre-empts a patchwork of 47 separate state data breach statutes, which makes it a favorite provision of businesses. Companies and organizations would have 30 days to notify consumers if their personal data, such as social security numbers or account numbers, are compromised. In addition the bill gives broader authority to the FTC to fine companies that fail to secure data.
“This bill takes an important first step forward in protecting American consumers and businesses from cyber criminals. Making progress on this front, we hope, can lead to consensus on protecting data in all its forms,” wrote Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) in a CNBC op-ed published this morning.
“Our bipartisan draft ….combines the security requirement with robust enforcement at the federal and state level to maximize enforcement and consumer access. This would send a clear message to companies to improve security for all consumers rather than playing games state by state,” wrote Blackburn and Welch.
While the bill’s sponsors are bipartisan, support is not unanimous on the Democratic side of the aisle. Ranking member Frank Pallone, Jr. (D-NJ) raised several objections in his opening statement.
“Many of the 51 state and territorial breach notification laws provide greater protections for consumers,” said Pallone. “This draft preempts stronger state and federal laws…preempts state private rights of action, and does not cover health information.” The draft also “…replaces [state data security laws] with an unclear standard that will surely be litigated and left to judicial interpretation.”
Pallone also opposed moving jurisdiction for data security, breach notification, and privacy for telecommunications, VoIP, cable, and satellite services from Federal Communications Commission to the Federal Trade Commission.
“No one questions the Federal Trade Commission’s expertise in data security, but the FTC is primarily an enforcement agency and it lacks the necessary tools to effectively handle the unique data security, breach notification, and privacy issues of those services,” said Pallone.