Congress Grapples With The Right Mix For Bipartisan Data Breach Bill
By Leigh Orliner LaMartina
Congress is actually making progress in advancing a bipartisan bill that seeks to stem the avalanche of data breaches that lately seem to threaten massive amounts of sensitive consumer financial information with alarming regularity.
On March 25, 2015, the House Energy and Commerce Committee voted to approve the Data Security and Breach Notification Act of 2015 (the “Act”), which was authored by Rep. Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT).
The proposed legislation would mandate that entities (1) maintain reasonable data security measures; and (2) notify consumers in a timely manner of data breaches that may leave them vulnerable to economic harm. This standard would apply to entities that own or possess, or contract for third parties to maintain or process, data containing certain personal information. Notably, in early drafts, third party “Service Providers” were to be exempt from the draft’s security and notification requirements, required to notify only the “Covered Entity” whose data had been breached.
A week earlier, the House Subcommittee on Commerce, Manufacturing, and Trade heard testimony on the draft law. The March 18 hearing revealed that while stakeholders generally agree on the need for a uniform national standard, significant controversy remains as to the content of that standard:
- The draft legislation covers only information that, if breached, is deemed to put consumers at risk of financial harm or identity theft. The Federal Trade Commission (FTC), which would be tasked with enforcement, advocated for a broader definition of covered information to include items such as location information and health data not already covered by HIPAA. In contrast, the FTC’s former chairman Jon Leibowitz (who is now co-chair of the 21st Century Privacy Coalition) lauded the Act’s narrowly tailored definition of “Personal Information,” saying that a narrow standard would help to avoid over-notification and desensitization of consumers to data breaches.
- While witnesses agreed that the current patchwork of state data security and notification laws creates a compliance quagmire for businesses, they took different positions on the appropriate relationship between a uniform federal standard and state statutes. As drafted, the Act would preempt the 47 existing state data security and notification laws, but not state common law causes of action. Some existing state laws impose higher standards of data security than would be required under the Act, causing a representative of the Massachusetts Attorney General’s office to assert that the draft’s preemption of state laws “undercuts consumer protections” and “infringes on the States’ consumer protection enforcement authority.” Arguing the opposite position, business witnesses urged that the Act should preempt both state statutes and common law to create a clear federal regime with consistent and predictable enforcement.
- The Act would preempt the Communications Act’s requirements, currently enforced by the Federal Communications Commission, that telecommunications carriers, Voice over IP (“VoIP”) providers and cable and satellite television providers protect certain customer information. FCC Chief Counsel Clete D. Johnson expressed the Commission’s concern that the Act would leave gaps in these currently-regulated areas.
- Mallory Duncan, Senior Vice President of the National Retail Federation, urged the Committee to remove the draft Act’s exemption for third-party service providers, stating that “[e]xemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit.” Mr. Duncan explained that in the retail industry, the one-to-many nature of relationships between, for example, payment processors and retail stores, would create a substantial risk of duplicative notification and a lack of transparency in that notification.
Following the hearing and a March 25 session on the discussion draft and several proposed amendments, the Committee voted to approve the draft law. Importantly, the Committee approved an amendment by Rep. Pompeo (R-KS) that changes the exemption for Service Processors, requiring those entities to abide by the notification requirements unless the non-breached Covered Entity elects to provide notification in its place.
Subcommittee Chairman Michael C. Burgess expressed his hope that the Act’s narrow scope would help to achieve a “bipartisan compromise that can become law.” Such a compromise has eluded Congress previously. Similar bills have been introduced, and then stalled, with regularity in the past several years. While it is clear from the current discourse that a national uniform standard could benefit consumers and businesses alike, the path to that standard remains to be determined.
– Edited by Gary J. Malone
Tagged in: Antitrust Litigation,