WASHINGTON – On Wednesday, the House Energy and Commerce Committee marked up H.R. 1770: the Data Security and Breach Notification Act of 2015. The consideration of the bill was unusual because, at the outset of the mark-up, Committee Chairman Fred Upton (R-MI) said the bill needed more work before it could be passed. Regardless, he had the Committee consider the bill with the understanding that it would be further refined before consideration by the full House of Representatives, and Upton claimed that the House could vote on the bill next week.
The Committee considered a number of amendments during the mark-up, adopting several, before favorably reporting the bill to the House of Representatives. The bill, which is co-sponsored by Upton and Representatives Marsha Blackburn (R-TN), Michael Burgess (R-TX) and Peter Welch (D-VT), aims to enact a national data breach notification standard that preempts existing state laws.
There was a clear partisan divide during the mark-up. Democrats criticized the bill for its preemptive language that they believe weakens existing state laws pertaining to data breaches and generally expressed concern that the bill had moved too quickly through the legislative process. Despite Upton’s assurances that he planned to work collaboratively to satisfy the concerns of Democrats – who are concerned the bill does not sufficiently protect consumers – Democrats remained, for the most part, unconvinced that the fundamental problems with the bill could be resolved by that time. In fact, Welch ultimately voted against the bill even though he is one of its co-sponsors. That said, he pledged to try to resolve any differences so that he could once again support the legislation.
A manager’s amendment to the bill made a number of changes to try to ensure that companies whose data is breached when it is in the hands of another company (like a payment processor, for example) are not responsible for notifying consumers of those breaches. The manager’s amendment also limited the scope of breaches that must be reported, to those involving not only access to data but also acquisition of that data by criminals. Previous versions of the bill had required notification even if data was merely accessed but not acquired. Democrats criticized this change, claiming that consumers could be harmed even if data is merely accessed. Nonetheless, the manager’s amendment was adopted by a voice vote.
The Committee also adopted Rep. Pete Olson’s (R-TX) amendment, which set caps for the penalties that the Federal Trade Commission could impose if a company suffers a data breach and does not follow the notification requirements in the bill. The Committee also adopted an amendment from Rep. Adam Kinzinger (R-IL) that requires breached entities to notify consumers if users’ e-mail log-in information and full name are acquired by hackers.
All of the amendments offered by Democrats and brought to a vote were rejected, but some amendments were withdrawn before a vote based on Chairman Upton’s assurances that he would like to work toward compromises on those issues. Among those amendments that may receive further consideration was an amendment offered by Rep. Tony Cardenas (D-CA) that was strongly supported by NACS. It would remove from the bill the provisions stating that if telecommunications or internet service providers have breaches of data in transmission, all they need to do is inform the business that has the direct relationship with affected consumers (like retailers) and then all of the costs and potential liabilities fall onto the retailer.
In an April 14 letter to Chairman Upton opposing the bill, NACS emphasized that while it supports the central emphasis of the bill, foisting the data breach notification responsibilities of telecommunications and Internet services companies onto NACS members would be fundamentally unfair. NACS will be working to try to resolve these concerns before the bill is considered by the House of Representatives.