By Lala Qadir

A bipartisan data security bill was unveiled last week as part of a renewed push to create standardized requirements around data breach and security issues.  Both co-sponsors of the bill, Representative Marsha Blackburn (R-TN) and Representative Peter Welch (D-VT), are members of the House Subcommittee on Commerce, Manufacturing, and Trade, and Blackburn also serves as Vice Chairman of the Energy and Commerce Committee.

Entitled the “Data Security and Breach Notification Act of 2015,” this draft legislation creates requirements on companies that collect and store personal information of individuals.  Under this bill, companies would be required to use “reasonable security measures” to protect an individual’s personal information.  The bill would also require a company to notify affected individuals as “expeditiously as possible” but no later than 30-days after the company has taken the “necessary measures to determine the scope of the breach and restore reasonable integrity, security, and confidentiality of the data system,” unless the delay is attributed to law enforcement or national security reasons.   Companies would not be obligated to provide individual notice if there was no reasonable risk that the breach of security resulted in, or would result in, identity theft, economic loss or harm, or financial fraud.   A violation of this legislation would constitute an unfair and deceptive act or practice and violations could be enforced by the Federal Trade Commission or state attorneys general.  Further, both the Federal Trade Commission and state attorneys general would be able to obtain civil penalties for violations of the data security and breach notification requirements.  However, no private right of action would be extended under the current draft.  And the draft bill would effectively preempt the current patchwork of state statutes governing data breach notification and data security.

This bill comes at the heel of recent high-profile data breaches that compromised sensitive personal information and data, putting consumers at risk.  “Until today, Washington has been asleep at the switch while millions of Americans have had their personal information stolen by cyber criminals,” Rep. Peter Welch (D-Vt.) said in unveiling the bill. “While this draft bill is far from perfect, it is an important step in the right direction.”  Similarly, Representative Blackburn, in a written statement, noted that “[a]s one of the tens of millions of Americans who has been a victim of a data breach I know firsthand the great importance of needing to protect our personal information from identity theft. “This bill will help enhance the security of sensitive information and provide much needed clarity by creating a national standard and ensure that consumers are notified of a breach without unreasonable delay.”

Although the bill is still in draft form, consumer advocacy groups are expected to raise opposition it if preempts stronger state laws.  To that end, it is likely the bill will go through several rounds of discussion and revision.  The Subcommittee on Commerce, Manufacturing, and Trade is set to review the bill this coming Wednesday, March 18, 2015, at 10:00 am.