Despite continued opposition from consumer advocates, a House subcommittee on March 25 advanced a bipartisan bill aimed at replacing a patchwork of state data security breach notification laws with a single national standard.
The Data Security and Breach Notification Act was reported by voice vote by the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. It requires companies that collect and maintain consumers’ personal information to secure such information and to provide notice to affected individuals in the case of a breach of security involving personal information. Enforcement power would be granted to the Federal Trade Commission (FTC) and state attorneys general.
Currently, 47 states and the District of Columbia have breach notice laws. Only New Mexico, Alabama, and South Dakota do not. However, the Alabama legislature is considering a breach notice bill (S.B. 106) and is expected to become the 48th state to enact such a law.
“In today’s digital economy, a patchwork of State laws with varying requirements and breach notification standards is not an effective way to protect consumers and creates complex and, at times, competing or conflicting regulatory requirements for industry,” notes a March 16 Energy and Commerce Committee staff memo. “The costs to consumers and the economy of these malicious data breaches are substantial, costing tens of billions of dollars and hundreds of thousands of jobs.”
Proponents are hopeful that the full Committee will consider the bill sometime in the spring. Similar legislation died in the previous Congress, despite having bipartisan support following high-profile data breaches at Target Corp., Neiman Marcus. and Home Depot.
“We have worked hard in this bipartisan effort to produce language that will protect consumers by improving data security protections and setting a national breach notification standard for industry,” said Rep. Marsha Blackburn (R-TN), the sponsor of the bill, following the subcommittee vote. “Today was the first step toward this legislation becoming law.”
However, not everyone on Capitol Hill is optimistic about the bill’s prospect for becoming law. “Finding a workable bipartisan compromise that can become law has been elusive,” Subcommittee Chairman Michael Burgess (R-TX) said in a statement.
While consumer groups object to provisions they contend preempt stronger state laws and weaken existing consumer protections enforced by the FTC, the U.S. Chamber of Commerce has raised the opposite concerns. The business organization opposes the inclusion of language “that would specifically maintain a covered entity’s liability under common law,” the Chamber wrote in a letter to the subcommittee. “Based on prior federal court decisions, it is clear that this type of provision jeopardizes the legal sustainability of an otherwise effective preemption clause.”