By Ani Gevorkian
The issues of data breach notification and data security issued received a fair amount of attention in the House this week: On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep. Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release of another.
The bill approved on Wednesday—the Data Security and Breach Notification Act—is sponsored by Reps. Michael Burgess (R-TX), Marsha Blackburn (R-TN), and Peter Welsh (D-VT). It would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach. It would also empower the Federal Trade Commission (“FTC”) to enforce the bill’s rules.
The bill was approved along party lines, with Republicans and Democrats disagreeing over the bill’s preemption of state data security and breach notification standards. Several Democrats expressed concern that the bill would provide a uniform federal data security standard at the expense of eliminating stronger consumer protections at the state level.
Rep. Joseph Kennedy (D-MA) offered two amendments to prevent the bill from preempting state data security requirements and relevant common law, but the amendments failed to garner sufficient support. Democrats also offered amendments to give the FTC rulemaking authority to define “personal information” and to bolster the Federal Communications Commission’s data security role. These measures were also defeated.
Langevin’s legislation, which requires companies to disclose data breaches to affected customers within 30 days of discovery, will go head-to-head with the Data Security and Breach Notification Act. Langevin said he thinks data security regulation should remain at the state level. Representatives will likely debate Langevin’s bill in the near future.
Langevin also introduced another bill on Thursday, which would establish a point-person in the executive office of the president to oversee the cybersecurity of the .gov domain.