Controversial data breach bill passes House committee

The House Energy and Commerce Committee approved a controversial bill creating national data security standards after a chaotic markup that revealed deep Democratic concerns about the measure. 

The Data Security and Breach Notification Act appears headed for further changes prior to a vote by the full House. The committee approved it on a party-line vote of 29-20. 

{mosads}Wednesday’s markup exposed a rift between Energy and Commerce members on key matters, including whether the bill should preempt stronger consumer data protections at the state level. 

Ranking Member Rep. Frank Pallone (D-N.J.) called the legislation “deeply flawed.” 

“I am very concerned,” he said. “I just think that this is moving much too quickly. There are a lot of changes that I think need to be made. I’m very concerned, particularly, about the preemption issue. All of these things need a lot of time and work … I would like to see the process slowed down.” 

The bill from Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) is designed to replace the patchwork of state data security and breach notification laws. 

Currently, companies that experience a data breach or hack must comply with a variety of requirements across the country. Lawmakers consider it a priority to at least streamline the requirement for consumer notification. 

The presence of a national data security standard in the bill has caused problems from the beginning. Democrats and privacy groups argue that replacing stronger state laws will leave consumers vulnerable. 

A series of Democratic amendments to make the standard more specific, to create a floor for data security requirements and to avoid a level of preemption failed. A manager’s amendment and a change capping federal penalties for some breached companies passed with support from Republicans, along with a handful of other amendments. 

Republicans rejected the proposals by saying they are trying to keep the bill “narrowly tailored.” Chairman Fred Upton (R-Mich.) suggested that several Democratic changes would hamper the bill’s chances of passing the Senate. 

“I say this with a smile — I don’t expect to [pass the bill under] suspension,” Upton said, referring to non-controversial measures that require a two-thirds majority vote on the House floor. 

The legislation would require companies to maintain “reasonable security measures and practices” to protect consumer data, and to disclose breaches when there is a risk of consumer harm. The notification would be required to take place within 30 days of when a company determines the scope of a breach and restores their systems. 

In a sign of the controversy surrounding the bill, its lead Democratic cosponsor ultimately voted against it after supporting an amendment from Rep. Bobby Rush (D-Ill.) that would significantly alter the measure’s approach.