Legislation to replace a patchwork of state data security breach notification laws with a national standard made its way through a key House Committee on April 15, but not without strong criticism from both consumer advocates and industry groups.
The Data Security and Breach Notification Act (H.R. 1770) was reported favorably by the House Energy and Commerce Committee on a party-line vote of 29 to 20. The bill requires companies that collect and maintain consumers’ personal data to employ “reasonable security” to protect it, to conduct a good faith investigation after discovering a security breach, and to notify consumers about the breach. However, it exempts situations where there is no reasonable risk that the security breach has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was breached.
“Over 40 bills have been introduced in Congress since the first major data breach in 2005 and we haven’t yet reached the finish line,” said Rep. Fred Upton (R-MI), chairman of the committee. “This committee has worked hard to find a balanced, well-targeted solution, and I believe our legislation is closer than we have come in a long time to addressing a problem that has only worsened over the past decade.”
The bill is unlikely to move forward in the full House until substantive changes are made to address the opposing views of consumer advocates, who believe the bill weakens state consumer protection laws, and the U.S. Chamber of Commerce, which wrote in a letter
that the pre-emption provisions are insufficient to prevent class action litigation based on state common law