“Over 40 bills have been introduced in Congress since the first major data breach in 2005 and we haven’t yet reached the finish line,” commented Rep. Fred Upton (R-MI), chairman of the House Energy & Commerce Committee, during debate on legislation that would set a national standard for data security.
Hopefully, we are closer to the finish line now.
Legislation earlier endorsed by MRA -- H.R. 1770, the Data Security and Breach Notification Act – passed the Energy & Commerce Committee on April 15 by a vote of 29 to 20, and should come to the floor of the House of Representatives for a vote sometime soon. Should it become law, it will preempt the cacophony of conflicting state laws, setting “a national standard to help protect consumers’ sensitive information from the ravages of identity theft, fraud, and other criminal abuse, without impeding the essential work of the survey, opinion and marketing research profession.”
MRA specifically appreciates that H.R. 1770 concisely defines the personally identifiable information covered, explicitly establishes the FTC’s authority over data security, and provides regulatory flexibility, and requires consumer notification within a reasonable (and not arbitrary) timeframe.
Debate on the Act did not go smoothly: Democrat Congressmen offered multiple amendments, including several substitute amendments. One from Rep. Bobby Rush (D-IL) and Rep. Jan Schakowsky (D-IL), for example, would have replaced the entire Act with a copy of Rush’s data security bill from Congress’ past, which included extensive regulations of data brokers (which would pose a serious threat to the research profession). Most were rejected.
Rep. Peter Welch (D-VT), co-author of the data security bill with Rep. Marsha Blackburn (R-TN), pleaded with colleagues on his side of the aisle to hold their fire because "a narrow approach is essential to providing any protection to consumers." Like Upton, he noted that Congress hasn’t passed privacy legislation “because we don't have consensus on these things.” Instead of hammering those issues, he has proposed to pass legislation “where we do have consensus, to protect people's financial information.” It is “the one thing that has to be done," Welch said.
The Blackburn-Welch bill resulted from their co-leadership of a House Privacy Working Group, launched in 2013 by then-Commerce Subcommittee Chairman Lee Terry (R-NE).
Rep. Joe Barton (R-TX), a long-time privacy hawk and former chairman of the committee, complained more than once that the Act "doesn't go far enough to protect the individual." Rep. Anna Eshoo (R-CA) similarly worried that the Welch-Blackburn data security bill "severely reduces consumer protections."
Extra grief from the Democrat side arose when Rep. Pete Olson (R-TX) offered an amendment to cap the amount of civil penalties that could be levied on first-time offenders. Consumers are not the only victims in a data breach, Olson said – the breached businesses are also the “victims of criminals hacking their system."
While many Democrats chimed in with concerns about short-changing consumers, as well as claims that every business knows they have to provide reasonable data security (which is a key point of contention in the FTC’s data security litigation with Wyndham Hotels and LabMD), Rep. Kurt Schrader (D-OR) offered Olson his support. "The businesses are the victims,” Shrader insisted, and while “larger companies have been dealing with this for years,” like Lab MD, “most small businessmen and women have no clue about any obligations... or how to go about implementing even this bill."
Welch reminded the committee that the primary goal of the Act is “to protect the consumer, not the company,” but he acknowledged the massive "reputational damage" from a data breach that can potentially destroy a business. "The last thing they want is to have a breach," he said of most companies. In the end, Welch wasn’t yet certain about the right dollar amount for civil penalties, so while he felt that the "spirit of this amendment make sense," he voted no.
The amendment to cap penalties for first time offenders (or should we call them victims?) still passed.
Keeping the Act as simple as possible was a key motivator for committee leaders. Rep. Jerry McNerney (D-CA) proposed a small amendment to require entities suffering a breach to notify state Attorneys General (AG), which would give them more of a chance to get involved. Barton offered a series of amendments to shorten and stiffen the timeframe between discovering a breach and notification of regulators, law enforcement and consumers. A pair of amendments from Rep. Joe Kennedy (D-IL) that would have weakened the preemption of state laws, similar to the debate during subcommittee, were also turned aside. Rep. Tony Cardenas (D-CA) brought a slew of amendments with him, focused on the triggers for breach notification, provision of automatic credit protection for affected individuals, and more.
All were withdrawn or voted down. However, Upton appeared eager to accommodate one of Cardenas’ proposals, which would accommodate consumer notification in foreign languages, as well as proposals from Barton to offer greater transparency requirements and data disposal requirements. The Chairman stressed his desire to work with all his colleagues to find more bipartisan consensus on the language of the bill before a final vote occurs on the House floor.
Final committee vote and next steps
Although it was contentious, the Energy & Commerce Committee debate still went significantly more smoothly than the June 2011 Commerce Subcommittee meeting, where partisan rancor, intra-party disagreements, and dozens of amendments dragged out debate on the SAFE Data Act all day. That data security bill passed the subcommittee along with several amendments strongly endorsed and supported by MRA, but never progressed any farther in the legislative process. MRA looks forward to a much better outcome, and a law, soon.
Surprisingly, original co-author Welch did not vote for the final bill, nor did several Democrats who had supported its passage during subcommittee markup. However, Welch told reporters he is optimistic that a few key differences can be ironed out quickly, particularly some specifics on the preemption of state laws related to healthcare data.
The Data Security and Breach Notification Act could come up for a floor vote as soon as next week, when the House leadership has planned votes on a series of cybersecurity-related bills, so negotiators will have to work fast. As Chairman Upton kept emphasizing, he is trying to thread the needle with a bill that can pass the Senate as-written. It has become so difficult to complete the legislative process in the Senate that no one expects a more perfect piece of legislation to advance – the Senate may not be able to hammer out a different Senate data security bill and then go to a “conference” to work out differences between House and Senate versions of the legislation.
The best course may be to get as clean a bill as possible through the House, with as much support as possible, and hope the Senate can stomach it. We will cross our fingers that it works, and continue to work on the hill to help.