House Democrat pushes new data breach bill

Rep. David Cicilline is trying to restart the stalled debate on legislation that would require companies to tell customers they have been hacked.

On Tuesday, the Rhode Island Democrat introduced a House companion bill to Sen. Patrick Leahy’s (D-Vt.) Consumer Privacy Protection Act.

{mosads}Like numerous other Senate and House offerings, the bill mandates that companies inform customers within 30 days of a data breach and that they meet minimum security standards.

But unlike several other measures, Cicilline’s bill would not pre-empt stricter state-level data breach laws, a sticking point for Republicans and Democrats. That element of the bill is a major reason Cicilline’s measure is preferred by consumer advocates and digital rights groups.

“I see this as an important baseline,” Cicilline told The Hill in an interview. “States are the places where very often great innovation in this area is happening. We want to encourage that, but at the same time, we want to make sure there’s a baseline for all consumers.”

But it’s also those state laws that have spurred legislators to seek a federal standard. With 47 different local rules, companies say they are struggling to comply with the patchwork of regulations.

As businesses are hacked at a rapidly increasing rate, they have upped the pressure on Congress to lighten the regulatory burden faced in the wake of a digital intrusion.

Mammoth data breaches at Target, Home Depot, JPMorgan and Anthem, among many others, have also put hundreds of millions of Americans’ private data at risk and spurred calls for action.

“We all have constituents who have great anxiety about their personal information being out there,” Cicilline said.

However, Congress has not yet been able to pass a major anti-hacking bill.

“The more the public hears about these breaches, the more they experience the effects of them, the more they’re going to put pressure on their elected officials in Congress,” Cicilline said. “I’m going to work hard to capture and build on that momentum.”

Cicilline will be vying with other House members to harness that momentum.

Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.) in early May introduced their own data breach bill as a companion to a Senate offering from Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.). Neugebauer chairs the House Financial Services Financial Institutions and Consumer Credit Subcommittee, and the financial industry quickly came out in favor of his measure.

Reps. Peter Welch (D-Vt.) and Marsha Blackburn (R-Tenn.) had previously backed their own bipartisan offering. But Democrats pulled support at the last minute during an Energy and Commerce Committee markup in April. Although the measure was approved along party lines, it did not get a floor vote.

Cicilline said his bill has only Democratic co-sponsors lined up for now, reflecting Leahy’s upper chamber offering, which has the support of five progressive Democrats.

“I do think there’s a coalition that will develop between progressives and some people who are more conservative but assign a deep value to respecting the privacy of individuals,” Cicilline said.

In April, the Rhode Island Democrat voted against the House’s two complementary bills that would boost the public-private exchange of cyber threat data. The votes put him to the left of centrist Democrats on some data security issues and aligned him with privacy advocates, who worried the measures would simply shuttle more personal data to the National Security Agency.

Portions of Cicilline’s data breach bill reflects this position.

It provides the broadest definition of what is considered private information. In addition to data that could lead to financial fraud — banking information, Social Security numbers — the bill counts data that could lead to “dignity harm,” such as personal photos and videos.

“Things which may not result in financial loss but can impose great harm to people if shared widely with the public,” Cicilline explained.

The bill would also create civil penalties for companies failing to comply with the standards.

Civil penalties have been a tough sell for Republicans, who are worried about giving too much power to federal regulators.

Cicilline conceded that he had work to do winning over the GOP. But he maintained that public pressure will eventually force Congress to act, hopefully by the end of the year.

“This is not a complicated bill to understand,” he said. “It’s not going to require lots of study.”