by David Fagan, Libbie Canter, and Josephine Liu

The House Subcommittee on Commerce, Manufacturing and Trade held a hearing yesterday on draft data security legislation authored by Chairwoman Mary Bono Mack (R-CA).  The hearing was very well attended with significant substantive engagement by Subcommittee members on both sides of the aisle — an indication that the Subcommittee and the broader House Energy and Commerce Committee are committed to moving data security legislation this year.  To that end, it is worth noting that while the House last year passed legislation drafted by Rep. Bobby Rush (D-IL) — which was re-introduced earlier this year, along with a similar legislation from Rep. Cliff Stearns (R-FL) — Rep. Bono Mack’s legislation, the Secure and Fortify Electronic Data Act, or SAFE Data Act, is expected now to form the basis for legislation in the House this year.Continue Reading Rep. Bono Mack Circulates Data Security Bill in Advance of Subcommittee Hearing

Yesterday, the House Subcommittee on Commerce, Manufacturing and Trade held its second hearing on data security in the past month.  The hearing featured the testimony of top executives from Sony and Epsilon, companies that recently have been the victims of large-scale cyber attacks.  The hearing focused mainly on the specifics of the recent attacks, the

The House Energy and Commerce Commerce has announced plans for a “comprehensive review” of privacy and data security regulation.  The announcement explained that the “first phase” of the Committee’s review would be devoted to an assessment of the need for data security legislation.  The committee will then consider what Chairman Fred Upton referred to as “the

As expected, Rep. Cliff Stearns (R-FL) and co-sponsor Rep. Jim Matheson (D-UT) introduced the “Consumer Privacy Protection Act of 2011” earlier today.  The bill follows closely on the heels of the “Consumer Privacy Bill of Rights Act” (S. 799), which was introduced yesterday by Senators John Kerry (D-MA) and John McCain (R-AZ).  (You can read our summary of S.799 here.)  The following is a summary of Rep. Stearns’ bill that highlights its key differences from S.799.

Scope:  The bill would regulate the online and offline collection and use of traditional forms of personally identifiable information (e.g., name, address, email).  The scope is therefore narrower than S.799, which also covers the collection and use of “unique identifiers” and IP addresses. 

Notice obligations:  The bill requires covered entities to provide notice in three instances: 

  • Notice in a privacy policy;
  • Notice in a “statement” made before any PII collected from a consumer is used for a purpose unrelated to the transaction for which it was collected; and
  • Notice for material changes to privacy policy statements.    

S.799 contemplates the first and third forms of notice; not the second. 

Consent obligations:  Unlike S.799, the Stearns bill does not obligate entities to obtain opt-in consent in any circumstance.  It requires opt-out consent before selling PII that may be used for a purpose unrelated to the transaction in which the PII was collected unless the purchasing entity is (1) under common control with the covered entity; or (2) contractually obligated to comply with the practices enumerated under the entity’s privacy policy.  A covered entity may provide the consumer an opportunity to permit the sale (or disclosure for consideration) of such information in exchange for a benefit to the consumer. 

In other circumstances, a covered entity may offer consumers other opportunities to limit collection or use of PII, but is not required to do so. Continue Reading Stearns Introduces “Consumer Privacy Protection Act”

As expected, this year is shaping up to be a busy year on privacy.  As we noted in an earlier post, many Congressional members on both sides of the aisle are focusing on privacy issues.  We still expect Senator Kerry to introduce comprehensive privacy legislation in the next few weeks and we understand Senator