Sen. John Rockefeller (D-WV), chair of the Senate Commerce Committee, is still working to reach consensus on the data security bill that he and Sen. Mark Pryor (D-AR) introduced in June.  A scheduled markup was canceled in September, and the committee decided not to consider the bill at yesterday’s executive session.  Nonetheless, a spokesman for Sen. Pryor said Tuesday that lawmakers are “hoping to resolve any disagreements so the bill can be on a December markup.”

The bill, S. 1207, requires firms to establish information security policies for safeguarding personal information and to provide notice in the event of a security breach. Sens. Rockefeller and Pryor are reportedly reworking the bill in the hopes of securing bipartisan support.  A draft amendment circulated last week would, among other things:

  • expressly exempt entities that are subject to information security requirements under the Gramm-Leach-Bliley Act, HIPAA or HITECH, or the Communications Act;
  • delete special requirements for information brokers;
  • restrict the remedies available to state attorneys general when bringing suit on behalf of state residents; and
  • expand the definition of “personal information” to include unique biometric data and information about an individual when combined with authentication credentials for any financial account, but eliminate the FTC’s ability to modify the definition.

As we previously discussed, data security remains a subject of interest in both chambers of Congress.  Three other data security bills were approved by the Senate Judiciary Committee in September. Rep. Mary Bono Mack (R-CA) met with other lawmakers yesterday to discuss her breach notification bill and is confident that the legislation has enough support to pass the House Energy and Commerce Committee in the next few weeks, although the decision to schedule a full committee markup will be up to committee chairman Rep. Fred Upton (R-MI).