Data Breach Notification Legislation Moves Forward

The controversial data breach notification legislation made its way past the committee level yesterday (April 15) when the House Energy and Commerce Committee approved the measure 29-20.

The Data Security and Breach Notification Act of 2015, which was sponsored by Republican Rep. Marsha Blackburn and Democrat Peter Welch, was approved by the House Energy and Commerce Subcommittee on Trade in late March, and will now head to the full Energy and Commerce committee with amendments.

While some legislators have argued the bill is too vague and overarching, others think there needs to be more provisions about enhanced consumer data protection at the state level — as well as the federal. Democrats against the bill have pushed to have more specifics included, while proponents of the bill think tailoring it too much would hinder the impact of the legislation.

“I am very concerned,” Rep. Frank Pallone (D-N.J.) said yesterday, according to The Hill. “I just think that this is moving much too quickly. There are a lot of changes that I think need to be made. I’m very concerned, particularly, about the preemption issue. All of these things need a lot of time and work … I would like to see the process slowed down.”

In response to the bill’s committee approval, the National Retail Association released a statement from Senior Vice President and General Counsel Mallory Duncan.

“We need strong tools to combat criminal data breaches. Throughout this process, it has been our goal to work toward legislation that advances and strengthens consumer protections and incentivizes businesses to safeguard sensitive data. NRF commends the committee leadership and bill sponsors for their dedicated efforts to reach these important goals,” she said. “In order to be successful, data breach legislation must secure a single national standard and match any penalties to obligations so as to avoid adverse effects on small and medium-sized businesses attempting to deal with the scourge of criminal hacks.”

On behalf of the NRF, she praised the committee for passing the measure and urged that the “legislation must ensure public notice of breaches so consumers are promptly and effectively informed and businesses understand and appreciate the consequences of failing to adequately guard sensitive information.”

The bill requires that a business inform customers within 30 days if their data might have been stolen during a breach. The clock starts after the business has discovered the breach and conducted a good-faith investigation to determine if there’s a reasonable risk of identity theft, financial fraud or economic loss or harm, and restored the security of the breached systems.

In addition, the amended bill would require breached third-party vendors to notify affected consumers on the same schedule.

But the bill also preempts state notification and security requirements, many of them conflicting. Opponents of previous breach bills have fought for a single national standard both for notifications and security requirements. The new legislation bumps out specific requirements that exist in 47 states in favor of maintaining “reasonable security measures and practices.” That last section, in part, has been one aspect of why the bill has been so controversial because some legislators have said it is too vague and could lead to being overly intrusive in business and consumer privacy.