A House of Representatives subcommittee on Wednesday approved legislation that would establish a national data breach notification law and require companies to implement data protection policies.
But it appears the measure faces an uphill climb, similar to past data breach notification proposals that never were enacted into law.
Following a lengthy debate, the bill, Secure and Fortify Electronic (SAFE) Data Act, passed the House Subcommittee on Commerce, Manufacturing and Trade. Introduced by Rep. Mary Bono Mack, R-Calif., the legislation would pre-empt state data breach notification laws and require compromised companies to notify the Federal Trade Commission and affected individuals within 48 hours of determining those whose personal information was lost or stolen.
If enacted, the bill would also require any business that owns or maintains personal information to have in place a security policy, an information security manager, and a process for minimizing data that is no longer necessary.
“It's time for Congress to take decisive action,” said Bono Mack, who chairs the subcommittee. “Sophisticated and carefully orchestrated cyberattacks – designed to obtain personal information about consumers, especially when it comes to their credit cards – have become one of the fastest growing criminal enterprises here in the United States and across the world.”
During Wednesday's hearing, Democrats on the committee took issue with the definition of personal information under the current version of the bill. The measure would require notification when an individual's name, address or phone number is compromised in combination with a Social Security number, driver's license number or financial account number.
Rep. Henry Waxman, D-Calif. said the bill is filled with “loopholes that sacrifice data security and privacy.”
As it stands, the legislation would not require organizations to report the loss of “most personal information stored online or in company databases” – such as payroll records; emails; data recoded in smartphones, photos and videos stored online; or records of consumer purchases, Waxman said. Bank and financial account numbers would not be covered unless a user's password, name, address or phone number was also stolen.
“A Social Security number or a credit card number is not personal information under this bill unless it is combined with other information,” Waxman said. “This bill eliminates scores of state consumer protections without putting equivalent or stronger federal protections in their place.”
Democrats proposed several amendments, which would have broadened the types of personal information covered and prevented the legislation from pre-empting more stringent state breach notification laws. Such amendments were rejected.
Republicans, however, touted the merits of the bill, noting it would enhance the protection of personal information by establishing uniform standards for data security and breach notification.
“We learned during our recent hearings that consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state [laws],” Bono Mack said.
Under the bill, breached entities would be required to notify the FTC “without unreasonable delay.” Notification to affected individuals must begin no later than 45 days after discovering the breach unless the company receives a written request by law enforcement to delay notification.
Over the past several years, lawmakers have introduced numerous federal data breach notification laws, with little success.
The SAFE Data Act will next move to the full House Energy and Commerce Committee for consideration.