National Data Breach Notification Bill AdvancesMeasure Would Pre-empt State Breach Notification Laws
A House committee has approved a national breach notification bill, but its chairman concedes that the legislation isn't quite ready for a vote by the full House of Representatives.
The House Energy and Commerce Committee approved on April 15 the Data Security and Breach Notification Act by a 29-20 vote, with only Republicans supporting the measure. Even its Democratic co-sponsor, Rep. Peter Welch of Vermont, voted against it.
Moments before the panel began to debate the measure, Committee Chairman Fred Upton, R-Mich., said, "I would confess that it's not quite ready and probably won't be quite ready when we get to final passage early this afternoon."
Republican leaders say they hope to bring up for votes on the House floor next week the breach notification bill and a cyberthreat information sharing measure that cleared another House committee earlier in the week (see House Panel Passes Cyberthreat Info Sharing Bill). Upton said he has asked members of both parties to work out their differences on the breach bill by next week.
Financial Harm Standard
The committee-passed bill would only require a business to report to consumers and law enforcement a breach that would result in financial harm. Many state laws require the reporting of other types of breaches that don't pose financial harm.
The bill that passed the Commerce Committee also would prevent states from enforcing more stringent security standards. Several states, including Massachusetts and California, have prescriptive security processes described in their laws that business must adopt; the bill approved by the Commerce Committee would usurp those provisions. The Data Security and Breach Notification Act would only require businesses to take "reasonable security measures and practices" to secure the personally identifiable information of customers, employees and stakeholders; it doesn't prescribe specific requirements.
Democrats offered a series of amendments, rejected by the GOP majority, which would have toughened federal requirements to safeguard private information and allowed states' attorneys general and citizens to take legal actions against businesses that failed to adequately safeguard private data. The Democrats also unsuccessfully sought to amend the bill to require notification even if the breach didn't result in financial harm.
Frank Pallone, the New Jersey Democrat who's the committee's ranking member, called the amendments balanced, protecting businesses and consumers. "Rather than diminishing consumers' current protections by an over-broad pre-emption (of state laws) and weak security standards and notification requirements, this amendment protects consumers without overburdening businesses that are victims of criminal breaches," Pallone said.
Keeping Bill Narrowly Focused
But the bill's sponsor, Republican Rep. Marsha Blackburn of Tennessee, said the legislation was designed to be narrowly focused. A Democratic amendment that would have allowed states to continue to enforce their more stringent security requirements, she said, would "still perpetuate concerns that we have with a patchwork of state laws. This is a problem that has grown that has not diminished through the years. ... We know the amendment is broad; it would add to the confusion."
Over Democratic objections, the committee adopted an amendment to cap at $1,000, down from $11,000, the penalty for each failure of a breached business to send individuals a notification. Republicans argued that those businesses are victims of breaches, too. Democrats, though, contended the higher penalty would encourage businesses to take appropriate steps to safeguard personal data.