In the wake of the recent Target Corp. credit card data breach, Congress is once again turning its attention to data breach legislation. In a memorandum to Republican lawmakers on January 2, House Majority Leader Eric Cantor (R-Va.) stated that he intends to schedule legislation on security and breach notification requirements for federally facilitated healthcare exchanges when Congress resumes session next week. Democratic leaders characterized the news as yet another effort by Republican lawmakers to undermine the Affordable Care Act rather than a serious effort to deal with data security issues.
In his message to Congressional colleagues, Cantor discussed Target’s recent data breach, commenting that “millions of Americans learned [of Target’s data breach] from the press…” rather than from Target itself and stressing that “Americans shouldn’t have to wonder whether or not they will receive prompt notification” of a breach. Cantor went on to note that, while the Target breach “ha[d] received well-deserved attention”, another recent less-publicized report by Experian deserved scrutiny as well. The Experian report in question cautioned that, rather than the financial services industry, “[t]he healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014.”
Citing issues raised by the author of the report, Cantor expressed concern that current procedures governing federally facilitated healthcare exchanges allow the Centers for Medicare & Medicaid Services (“CMS”) to determine whether individuals need to be notified in the event of a security breach. Cantor implied this could lead to a scenario where a government may elect not to inform Americans of a data breach. Representatives Diane Black (R. Tenn.), Kerry Bentivolio (R.-Mich.) and Gus Bilirakis (R-Fla.) have introduced legislation to strengthen security requirements and require prompt notification in the event of a breach, thereby removing discretion from CMS.
Data breach legislation has been a perennial topic in Congress. Although progress on general federal data breach legislation has been stymied by deliberations on preemption, among other things, this hurdle is notably absent in the context of federally facilitated healthcare exchanges. In addition, concern regarding the risks of data breaches in online healthcare exchanges has garnered increasing attention from Congress in recent months with four separate House Committees documenting the risks since November 2013. Cantor indicated that he intends to schedule legislation on the above topics next week, which suggests the possibility that Reps. Black, Bentivolio, and Bilirakis’ proposals may be combined into legislation that would come to the House floor.