No Consensus on 'Bipartisan' Breach Bill

Old Divides Resurface Over Proposal of National Standard

Once more into the (data) breach!

That was the cry of the House Commerce, Manufacturing and Trade Subcommittee as it tackled the issues of data security and breach notification teed up in a new draft bill.

But while both sides invoked the horror stories of billion-dollar losses from identity theft and job losses in the hundreds of thousands, the political divides were clearly showing.

The bill has a Democratic co-sponsor, Rep Peter Welch (D-Vt.), but other Democrats at the hearing suggested that a single Dem did not a bipartisan bill make.

The bill would create a nationwide data security and breach notification standard, which both sides say they can support. But it would also pre-empt state and local laws. Dems says unless the bill is strengthened, that would just be replacing stronger laws with weaker ones, which they say would not benefit consumers.

The bill deals with security and notification, but not how to protect privacy of information, which Welch said was because Congress had to do something, and the privacy part was too contentious. He said that needed dealing with, but first and foremost Congress had to act.

Subcommittee chairman Rep. Michael Burgess (R-Tex.) agreed. He pointed out that the subcommittee had been working on the issue for a decade.

Summing up Democratic concerns, Rep. Jan Schakowsky (D-Ill.), ranking member of the subcommittee, said that while there were some positive elements, including giving the FCC civil penalty authority and provisions on data security, it would need serious amending to attract more Democrats. She said she thought that was not out of reach, but that it would need to better balance simplifying the regime with protecting consumers.

She took issue with preventing states from enforcing their own laws and pre-empting private rights of action.

She said it would leave consumers weaker, and weaken cable and satellite info privacy protections--under the bill, consumer viewing and movie buying records would no longer be defined as the kind of personal information being protected.

She said that while she thought the Federal Trade Commission should be empowered -- the bill would give the FTC some oversight authority stripped by the FCC's Title II reclassification -- that should not come at the expense of existing FCC protections.

The bill does not cover health information, and defines covered information narrowly. Too narrowly for Schakowsky and other Democrats. She pointed out that in addition to not covering health information -- Republicans say there are HIPPA laws already -- the definition of personal information does not include metadata and it does not give the FTC rulemaking authority to define what personal information is, which she called a major weakness.

She pointed to what she said were the broad pre=emption of state laws, but the narrow definition of harms to personal information. The bill is narrow where it should be wide, she said, and wide where it should be narrow.

Welch said he sees areas of agreement, but mostly they seemed be old ones: That there was a problem and something needs to be done about it.

He pointed out the bill was only a discussion draft, that it gave the FTC specific statutory authority and civil penalty authority, and that while it did pre-empt state security and breach laws, it did not limit them on privacy enforcement. He said the bill was not about privacy or network neutrality. 

Jessica Rich from the FTC said the bill needed to add some categories to its protections including connected devices, health and geolocation information, and passport and drivers license numbers.




What happened when hackers shut down Liberty Global’s broadband in the Netherlands