By David Fagan and Libbie Canter

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade voted to report the Secure and Fortify Electronic Data Act (H.R. 2577) — the SAFE Data Act — to the full House Energy & Commerce Committee, moving the legislation one step closer to passage. The legislation creates a national breach notification standard that would preempt the 46 state laws (plus District of Columbia and Puerto Rico laws) that presently require entities to notify consumers of breaches of their personal information.

The legislation was introduced formally on July 19 by Rep. Mary Bono Mack (R-CA) and was approved by the Subcommittee by a voice vote that appeared to track party lines. Rep. Bono Mack had circulated a discussion draft of the SAFE Data Act last month that we discussed here.

Prior to voting the bill out of the Subcommittee, members considered several amendments to the legislation, focusing in particular on issues relating to the rulemaking authority of the Federal Trade Commission and the scope of the definition of personal information. The Subcommittee took the following actions on proposed amendments:

  • It approved an amendment offered by Rep. Bobby Rush (D-IL) that is intended to clarify that the Act’s information security obligations apply to paper records in addition to electronic records. 
  • It approved an amendment offered by Reps. Marsha Blackburn (R-TN) and Pete Olson (R-TX) that appears designed to make it more difficult for the Federal Trade Commission to expand the definition of personal information. Prior to the amendment, the bill expressly authorized the FTC to modify the definition of personal information through an Administrative Procedures Act rulemaking process.
  • It approved an amendment offered by Rep. Cliff Stearns (R-FL) that was intended to clarify that the FTC lacks rulemaking authority with respect to the provisions of the bill that require persons covered by the bill to establish so-called data minimization procedures (i.e., a plan and procedures to only retain data reasonably needed for legitimate business purposes).
  • Democratic members of the Subcommittee unsuccessfully offered a series of amendments — none of which was accepted by the Subcommittee — that would have enlarged the definition of personal information under the legislation. These amendments would have expanded the definition of personal information to cover the content of online communications, location information relating to children, information about over-the-counter drug usage; information about online queries for disease-related information; and information about video and book rentals and purchases. Rep. Rush also unsuccessfully offered an amendment designed to narrow the exclusion of public record information from the definition of personal information.
  • Rep. Adam Kinzinger (R-IL) offered and withdrew two amendments, the first of which would have expanded the definition of personal information to cover an e-mail address in combination with password information. The second of these amendments would have excluded from breach notice obligations those businesses that collect and maintain data about fewer than 10,000 individuals over the course of a 12-month period. Rep. Kinzinger indicated that he would work with Chairwoman Bono Mack during later stages of the processes — presumably meaning before the bill is voted on by the full Energy & Commerce Committee — to address the issues raised by these amendments.
  • Rep. Stearns offered and withdrew an amendment designed to assist businesses determine when the “clock begins to run” on their obligation to provide notice to law enforcement and individuals. He indicated that a 45-day outside deadline for notification may not be adequate, particularly for smaller businesses.

The Subcommittee’s markup of the SAFE Data Act took on a fairly partisan tone, although Rep. Joe Barton (R-TX) sided with Democrats on several points. In particular, Chairwoman Bono Mack and others, such as Rep. Charlie Bass (R-NH), indicated that they intend to limit this legislation to addressing the risk of identity theft and financial harm, while Democrats sought protections for sensitive information beyond those types of data that can be used to perpetuate financial fraud.

Clarification:  After the initial post, we were able to confirm that the Rep. Rush amendment that was adopted by the Subcommittee is designed to make clear that the Act’s information security obligations cover paper records.  This amendment does not amend the Act’s breach notice obligations.