Data Breach Bills Running out of Time
Odds are dimming that Congress will pass a comprehensive data security bill before recessing in Aug., sources told us. In the House, 3 bills have emerged from committee and await floor consideration. So have 3 Senate bills. But deciding which bills reach each chamber’s floor and reconciling them will test lawmakers’ abilities to deal with their own brief, crammed calendars no less than their will to fight breaches.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
HR-4127, which would set “reasonable security policies” to protect computerized personal data and mandate nationwide notification for breaches, was introduced in Oct. by Rep. Stearns (R-Fla.). It has broad high-tech industry and consumer group support. Rep. LaTourette’s (R-O.) Financial Data Protection Act (HR-3997) would amend the Fair Credit Reporting Act. It’s a “completely one-sided” bill that “guts existing state laws” while setting weak data protection standards, Consumers Union policy analyst Susanna Montezemolo said (WID May 12 p1). HR-3997 would override 17 state “security freeze” laws, she said.
House Judiciary Committee Chmn. Sensenbrenner’s (R-Wis.) HR-5318 focuses on notice to law enforcement; its provisions would update the U.S. criminal code relative to cybercrime, industry sources said. The bill would give law enforcement more resources to fight cybercrime. House staffers indicate all 3 bills are “in play” for leadership’s consideration.
In the Senate, the Identity Theft Protection Act (S- 1408), introduced almost a year ago by Sens. Smith (R-Ore.) and Nelson (D-Fla.), has stood still since its committee approved it. The bill, which includes provisions for federal preemption, would empowers state attorneys general to sue in federal court. It would require information holders to comply with existing FTC rules, provide notice of data breaches and let consumers freeze their credit. The Personal Data Privacy & Security Act (S-1789), from Senate Judiciary Committee Chmn. Specter (R-Pa.) and Ranking Member Leahy (D- Vt.), also has languished, along with Sen. Sessions’ (R-Ala.) Notification of Risk to Personal Data Act (S-1326).
The Senate’s latest action was in June, with introduction of a new Senate Banking Committee bill from Sens. Bennett (R-Utah) and Carper (D-Del.). Their Data Security Act (S-3568) would set a uniform national standard to guard Social Security numbers, driver’s licenses, credit cards and account access codes and passwords. It is aimed at financial institutions falling under the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Committee staff would like to see the bill merged with Judiciary and Commerce Committee texts, a staffer told us (WID June 28 p3).
Meanwhile, the hacks keep coming. Late in June breaches were revealed by 2 U.S. agencies. The FTC, whose main mission is protecting consumers, told 100-plus people 2 FTC laptops containing their data were stolen from a vehicle. The Dept. of Agriculture told D.C.-area workers their data might have been compromised when agency computers were tapped illegally (WID June 23 p4). The most sensational breach, in May at the Dept. of Veterans Affairs, wasn’t resolved for weeks.
Congress won’t pass a bill this session, data security attorney Andy Serwin predicted. Despite the rumpus inevitably raised over a specific breach, “I don’t think there’s a lot of voter support right now versus other issues,” Serwin said: “People are concerned about it but it’s not the top of mind issue.” And disparities of focus among bills haven’t been addressed, he said, noting that some tilt toward industry while other favor consumers. Some in industry want a ceiling, preempting 30-plus existing state laws, he said: “Consumer advocates are looking more for a floor.”
With no federal statute, state breach and notice laws do provide a de facto but disjointed “national standard,” Serwin said. No matter where an information holder or affected consumer is, most entities involved in a breach must make some type of disclosure, he said. A pioneering 2004 Cal. law has led to a rush of legislative activity - at the state level, Serwin said: “Some states have gone pretty far on this. The question is how far is the federal government going to go when it comes to reining states’ [regulations] in.” Serwin isn’t sure “which bill will get more traction.”
The CAN-SPAM Act evolved in similar fashion, Serwin said, recalling that 46 states had junk e-mail standards, with many Hill proposals considered. Once Cal. set the harshest state standard, “everyone was making noise at the federal level saying we had to preempt it,” he said: “It’s going to have to take an event like that to serve as catalyst [and] it hasn’t been the VA breach.” In most breaches, data are recovered or never used against those to whom they belong, he said. For Congress to act, ID thieves will have to strike spectacularly or some legislature will have to nail a particularly harsh breach law to a statehouse wall, he said.