By a vote of 29 to 20, a still politically divided House Energy & Commerce Committee approved the Data Security and Breach Notification Act. It is now expected to be taken up in the House next week, though both Republicans and Democrats signaled there would be changes to the bill before then.
The bill, co-sponsored by House Energy & Commerce Committee vice chair Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.), would require entities that collect personal information to secure it and provide notice to individuals if that security is breached.
It would do so by preempting the current "patchwork" of laws with a single, national protection/notification standard.
At the markup of the bill Wednesday (April 15), its bipartisan co-sponsorship was belied by the political and issue divides that still remained.
Chief among them is the bill's preemption of state data security breach protection laws, which Welch says is necessary and other Democrats say could wind up weakening protections given a national standard they say does not sufficiently protect personal information.
Another big issue is how the Federal Trade Commission and FCC would divide up oversight of privacy. The bill would move some of the FCC's oversight of CPNI to the FTC.
E&C chair Fred Upton (R-Mich.) said the bill was not quite ready.
But both Republicans and Democrats were ready to air their strong differences.
Welch conceded it was not a perfect bill, but signaled that perfect was the enemy of the public good of taking some action to prevent hackers from monetizing information and harming consumers. He said that he was not ordinarily a fan of preemption, but that without preemption there was no protection because while the Internet went everywhere, strong state law protections were bounded by the "four corners" of that state.
Many Democrats complained that the bill focused on financial harm from the hacking of personally identifiable information (PII) it sought to protect, leaving gaps for emails, geolocation, health information, VOD records and more.
Rep. Bobby Rush (D-Ill.) offered an amendment in the form of a substitute bill that would have added those categories and more, limited preemption of state laws, required notification of all breaches, not just ones triggered by financial harm, would leave more enforcement authority in the hands of state attorneys general, and would have required breach notifications within a set time period. It was defeated, which led at least one Democrat to comment that they were not sanguine about being able to come up with a bill both sides could support.
That amendment was similar to a data breach bill offered up several Congresses ago, and supported now, as then, by its co-sponsors Rush and Rep. Joe Barton (R-Texas). Barton has diverged from other Republicans in the strength of his support for privacy protections, as Welch has diverged from other Democrats in his support for this bill, which he points out will at least deal with the financial harm, leaving other privacy issues for further legislation.
Barton pointed out at the hearing that his bill with Rush passed by a voice vote in this same committee, and had also passed the House before Senate inaction.
Among the changes to the bill made in amendments that were approved was capping the FTC fines for first time violators of breach notification requirements. It's author pointed out that those companies were victims too. Ranking member Rep. Frank Pallone (D-N.J.). who opposed the bill as too weak, also opposed the amendment. He said the FTC needed fining authority commensurate with the offense.
Another amendment that passed added email addresses associated with passwords and user names to the list of covered personally identifiable information. Both Republicans and Democrats supported that amendment.
Rep. Rush said the committee was trying to rush a bad bill through, while Rep. Anna Eshoo (D-Calif.), ranking member of the Communications Subcommittee, said she was encouraged by Upton's acknowledgement that the bill still needed work, and pledged to work with him, agreeing that something needed to be done to combat growing breaches.
But it is unclear how much room for compromise there is on issues like preemption, and extending the covered PII to health information, which some Democrats say is necessary and Welch said did not belong in the bill, in part because the bill needs to get enough votes to pass.
Rep. Michael Burgess (R-Texas), said hackers are not interested in their targets' fitness or geolocation, but in monetizing stolen data. He conceded the bill would not stop every incident, but said that a narrow approach might help contain the biggest threat, which was financial.