by David Fagan, Libbie Canter, and Josephine Liu

The House Subcommittee on Commerce, Manufacturing and Trade held a hearing yesterday on draft data security legislation authored by Chairwoman Mary Bono Mack (R-CA).  The hearing was very well attended with significant substantive engagement by Subcommittee members on both sides of the aisle — an indication that the Subcommittee and the broader House Energy and Commerce Committee are committed to moving data security legislation this year.  To that end, it is worth noting that while the House last year passed legislation drafted by Rep. Bobby Rush (D-IL) — which was re-introduced earlier this year, along with a similar legislation from Rep. Cliff Stearns (R-FL) — Rep. Bono Mack’s legislation, the Secure and Fortify Electronic Data Act, or SAFE Data Act, is expected now to form the basis for legislation in the House this year.

We previously analyzed Rep. Rush’s bill here, and we noted here that Rep. Stearns’s bill is similar in many respects.   Rep. Bono Mack’s discussion draft likewise builds on the Rush legislation, but it contains some notable differences.  For example:

  • Data minimization plan.  Persons covered by the bill would be required to establish a plan and procedures to only retain data reasonably needed for legitimate business purposes.
  • Notification within 48 hours.  For breaches requiring notification, law enforcement would need to be notified within 48 hours of discovery of the breach; consumers and the FTC would need to be notified within 48 hours after the entity completes an internal assessment of the breach. 
  • Application to non-profits.  The FTC would have jurisdiction over non-profits such as universities and charities for purposes of enforcing the bill. 
  • Omission of information broker provisions.  While the draft’s information security and breach notice provisions would apply to information brokers, the draft does not contain separate, heightened privacy obligations applicable to information brokers.

The following issues received particular attention at the hearing yesterday:

  • Appropriate timeframe for notification.  Rep. Henry Waxman (D-CA) expressed concern that the discussion draft would permit companies to delay notification until after completing an assessment of the nature and scope of the breach, which could take a very long time.  FTC Commissioner Edith Ramirez, who testified on the first panel, agreed this was a concern, indicating that she believes that the standard for notice should be “as soon as practicably feasible.”  When pressed by Rep. Waxman, Commissioner Ramirez agreed that 60 days might be appropriate as an outside limit.  She also said that the FTC should receive notice right away and at the same time as other law enforcement.
  • Definition of “personal information”  Commissioner Ramirez indicated that she believes that paper records — not just electronic records — should be covered and that health information should be included within the definition of personal information.  A number of members weighed in on the draft’s exclusion of “public record information” from the definition of personal information — a debate that largely tracked party lines.  Rep. Jan Schakowsky (D-IL) further noted that the discussion draft narrows the definition of personal information to that “related to commercial activity.”  She seemed concerned that if a business collected more information than necessary to carry out its commercial business, the additional information might not be covered by the legislation.  (No one raised the question of whether this new language might exclude employee data, which we see as a possible interpretive question.)
  • Appropriate standard for “risk of harm” trigger for notification.  The discussion draft requires notification to consumers and the FTC if the breach presents a “reasonable risk of identity theft, fraud, or other unlawful conduct.”  A number of Republican members of the Subcommittee asked Commissioner Ramirez about the difference between a standard based on “reasonable” risk of harm to consumers versus “significant” risk of harm.
  • Relationship with Gramm-Leach-Bliley Act.  The discussion draft exempts entities that are subject to the security requirements of the GLB Act or HIPAA.  Rep. Waxman indicated that he plans to work with Rep. Bono Mack to make sure that there is no ambiguity or disparity with respect to the treatment of retailers and non-bank financial institutions (subject to FTC jurisdiction under the GLB Act).