Yesterday, the House Subcommittee on Commerce, Manufacturing and Trade held its second hearing on data security in the past month. The hearing featured the testimony of top executives from Sony and Epsilon, companies that recently have been the victims of large-scale cyber attacks. The hearing focused mainly on the specifics of the recent attacks, the companies’ notification of affected individuals, and the steps the companies have since taken to improve the security of their networks. The prospect of federal data security legislation was discussed briefly, however, and both the members and the witnesses agreed that such legislation would ease the burdens on businesses, which currently must navigate a complex (and sometimes inconsistent) terrain of state data security laws.
As we have previously noted, two members of the Subcommittee, Reps. Rush and Stearns, have introduced comprehensive data security legislation in this Session. At yesterday’s hearing, Subcommittee Chairman Mary Bono Mack reaffirmed her intention to do the same. In her opening statement, she explained that her bill would be based on three guiding principles:
- First, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data.
- Second, information considered especially sensitive, such as credit card numbers, should have even more robust security safeguards.
- Third, consumers should be promptly informed when their personal information has been jeopardized.
It is unclear whether Rep. Bono Mack’s bill will differ substantially from those introduced by Reps. Rush and Stearns (which are themselves very similar to each other). But based on this brief statement, it appears that the bill might distinguish between the security requirements for different types of data, which neither the Rush nor the Stearns bill does.