A draft data breach bill introduced by a House Democrat and Republican may have to go through a few more edits before it can advance in committee.
Leading Democrats on the House commerce committee pushed back Wednesday on the draft released last week by vice chair Marsha Blackburn (R-Tenn.), and Peter Welch (D-Vt.) during a hearing to discuss the draft before the commerce, manufacturing and trade subcommittee, chaired by Rep. Michael Burgess M.D. (R-Texas).
“Having some Democrats support a measure does not make a bill bipartisan,” said House commerce ranking member Frank Pallone (D-N.J.), who took a swipe at the GOP leadership for failing to give members a full week to review the draft, bucking a long-held tradition.
With data breaches pummeling consumers and tarnishing brands on almost a daily basis, there’s a lot of energy on both sides of the aisle for some sort of data breach and security bill. How to get there has stumped lawmakers for the last couple of Congresses.
The Data Security and Breach Notification Act would set a national standard for how companies and organizations protect consumer data pre-empting a patchwork of 47 separate state data breach statutes, which makes it a favorite provision of businesses. Companies and organizations would have 30 days to notify consumers if their personal data like social security numbers or account numbers, are compromised. In addition the bill gives broader authority to the FTC to fine companies that fail to secure data.
“Some will complain about what is not in the bill,” said Burgess. “I want to be very clear. While we don’t tackle privacy in this legislation, we don’t pre-empt it either,” he said.
But Democrats aren’t yet convinced.
Rep. Jan. Schakowsky (D-Ill.) ranking member of the commerce, manufacturing and trade subcommittee ticked off a number of significant changes she’d like to see made to the draft, adding that in its current form it “would leave consumers with fewer privacy protections….” and “prevent states from enforcing their own privacy laws.”
“The draft is too broad where it should be narrow and too narrow where it should be broad,” Schakowsky said.
Stressing that the bill is a discussion draft, Welch said the bill was “narrow and smart” and didn’t limit states to enforce their own privacy statutes. “This isn’t a privacy bill.”
The draft also stirred up a brewing jurisdictional debate between the FTC and the FCC over which agency should take the lead enforcing data security and privacy. Under the FCC’s net neutrality order, the FCC would extend its current privacy authority over common carriers to include broadband service providers. But under the draft data breach bill, the FTC would get broader authority over all data security cases, including common carriers.