A Step Closer to Meaningful Data Breach Legislation

House Subcommittee marks up proposed bill, including much-needed amendments regarding notification, but work still needed.

March 26, 2015

WASHINGTON – Yesterday, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade marked up and voted to advance the “Data Security and Breach Notification Act of 2015” to the full committee.

The draft legislation, which was authored by Subcommittee Chairman Michael Burgess (R-TX) along with Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT), aims to enact a national data breach notification standard that preempts existing state laws.

Several bipartisan amendments were offered during the markup (the process by which a congressional committee debates, amends and rewrites proposed legislation) and passed unanimously. The most important amendment, offered by Welch and Rep. Mike Pompeo (R-KS), would require breached third-party entities to provide breach notification directly to affected consumers and give a non-breached company with whom the third-party entity does business the option to provide the notification in place of the breached third party. This change is significant: Prior to the Pompeo/Welch amendment, a non-breached business, such as a retailer, would have been required to notify consumers about a breach at a third-party entity, such as a cloud storage provider, ultimately forcing the retailer to unfairly take the blame for a breach.

Two other amendments from Blackburn and Rep. Tony Cardenas (D-CA) were also successful. Those amendments would require the Federal Trade Commission (FTC) to conduct data security education and outreach for small businesses and to maintain a data security best practices website.

Democrats offered five amendments, including those granting the FTC rulemaking authority to define “personal information,” requiring breached service providers to provide data breach notification directly to consumers, and limiting the bill’s preemption of state laws. Despite the fact that all of these amendments were supported by Welch, the bill’s Democratic sponsor, Republicans on the subcommittee voted them all down.

NACS had many concerns with the initial draft and worked closely with policymakers before the markup to ensure that the bill’s data security and consumer notification standards would be fair and apply to all parties equally. While NACS supported the Pompeo/Welch third-party notification amendment and believes the bill is much improved with this change, it will continue to push hard for service providers to have the same data breach notification requirements. A full committee markup is expected in mid-April.

NACS Day on the Hill

March 10-12, 2025
Washington, DC

Join your colleagues in Washington DC to magnify our industry’s voice on Capitol Hill as we meet with lawmakers whose work can have a very real impact on you and your business.

View All Events

Explore Cool New Products