Bipartisan Data Security and Breach Notification Legislation on Fast Track in the House
On March 25th, the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing and Trade marked up a discussion draft of the "Data Security and Breach Notification Act of 2015" with strong support from Subcommittee Republicans, including Chairman Michael Burgess (R-TX), and some Democrats. The markup came a week after the bill's circulation and legislative hearing and less than two months after the Subcommittee held its first hearing for the 114th Congress - an indication of the House leadership's determination to pass a data security and breach notification bill this year.
The discussion draft, authored by Energy and Commerce Committee Vice Chair Marsha Blackburn (R-TN) and Peter Welch (D-VT), represents the first bipartisan legislative effort in the House to enact a federal information security and breach notification framework since 2009. It seeks to balance granting the Federal Trade Commission (FTC) broad and explicit authority over data security and breach notification requirements with ensuring regulatory certainty through a single national standard subject to non-duplicative federal and state enforcement. While the legislative hearing and markup helped identify the divide between Republican and Democrats, and between business interests and privacy advocates, the gaps that were exposed did not seem insurmountable, and members from both sides of the aisle seem willing to entertain further compromises in order to move the legislation through the House on a bipartisan basis.
Key Issues Remain As Legislation Progresses Through Hearing & Subcommittee Markup
As the draft bill moves through the legislative process, the sponsors of the bill consistently described their effort as a carefully crafted, narrow proposal aimed to vest the FTC with the authority to enforce a singular, national standard for securing electronic personal information as well as to notify affected customers and law enforcement authorities when breaches of such information do occur. While the overarching goals of the legislation were generally endorsed by members of the Subcommittee from both sides of the aisle, the debate that ensued at the legislative hearing and markup helped shed light on a number of key issues dividing the parties and key stakeholders. They include:
- Preemption: A violation of the data security and breach notification requirements imposed by the draft bill constitutes an unfair or deceptive act or practice subject to enforcement by the FTC and state attorneys general but not through any private right of action. However, similar to the previous bipartisan legislation that passed the House in 2009, the draft bill also preempts state information security laws, although a bracketed provision in the discussion draft seems to indicate that a covered entity's liability under common law is not affected by the bill. During markup, amendments were offered either to remove the preemption of state law, or to remove the bracketed language exempting common law from preemption, indicating wide partisan divide on this issue.
- Definition of Personal Information: Many Democrats and public interest stakeholders point out that the bill does not grant the FTC any rulemaking authority to define or modify the term "personal information" that could take into account the emergence of new technologies or evolving expectations of what information should be considered private and thus subject to the bill's definition of "personal information." Opponents of this change argue that the changes to definition should only be made by Congress and giving the FTC too much flexibility through rulemaking undermines the goals of uniformity and predictability. During the markup Congresswoman Yvette Clarke (D-NY) introduced an amendment that would grant the FTC rulemaking authority over the definition of "personal information" but it was defeated in a party-line vote.
- Third-Party Duty to Notify: A bipartisan amendment adopted during the markup amends the draft bill to ensure a breached covered entity who handles data for another covered entity whose data was breached should be held responsible for providing the breach notification to the affected individuals while avoiding over-notification. The sponsor of the amendment, Mr. Pompeo, stated that the new language attempts to require all breached entities to have the same legal burden to provide notification, although he also acknowledged that the amendment language is not perfect and more work needs to be done to refine it.
- Treatment of FCC Authority: In creating a single national data breach and notification regime, the sponsors of the bill also sought to remove duplicative enforcement authorities among federal agencies. As a result, the Federal Communications Commission's authority to regulate data security and breach notification practices over common carriers, cable, and satellite providers is eliminated under the bill. Supporters of the provision argue that the FCC's authority is redundant and those regulated entities should be treated no differently than entities in any other covered sectors subject only to the FTC's case-by-case enforcement regime. Opponents, on the other hand, point to the lack of rulemaking authority at the FTC and the loss of certain safeguards for call-related information (such as the numbers called or particular services used such as call forwarding) known as "customer proprietary network information" (CPNI) currently protected by the FCC's rules.
- Definition of CPNI: With the elimination of FCC authority over the security of CPNI, the sponsors of the draft bill added a slightly modified definition of CPNI to the list of "personal information" protected by the bill's requirements to ensure there are no unintended gaps in the jurisdictional shift from FCC to the FTC. Opponents of the current language argued, however, that the modified definition of CPNI fails to capture the full scope of the FCC's existing rules. During markup Congressman Bobby Rush (D-IL) introduced an amendment that would add to the definition of "personal information": (1) proprietary information of other carriers, equipment manufacturers, and customers; (2) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service or interconnected VoIP service; (3) personally identifiable information concerning any subscriber to a cable service, satellite service, or any other wire or radio communications service provided using any of the cable or satellite facilities, including any viewing-related information. The amendment was defeated along party lines as well.
- Privacy versus Data Security: Throughout the hearing and markup, the chief Democratic sponsor Peter Welch repeatedly emphasized the narrowly tailored nature of the draft proposal. One such example is the sponsors' effort to preserve the FCC's existing authority over privacy matters. Nevertheless, the FCC testified, and several Democrats agreed, during the hearing that it is impossible to separate privacy protection from data security. At the markup, supporters of the legislation argued that privacy-related obligations such as providing notice of personal information collected or to be collected to subscribers, seeking customer consent for disclosure of such information, or allowing subscriber access to such information, are outside the scope of the bill. To further support their point, the sponsors of the bill put in a bracketed provision that could help clarify the preservation of the FCC's existing regulatory power over privacy under the draft bill, should the bracket be removed.
Aside from those key issues, concerns over notification procedure and trigger as well as penalties that may be imposed by state Attorneys General further divided proponents and opponents of the bill.
Next Up: More Negotiations and Markup
Bipartisan legislation carefully negotiated to reflect the middle ground may be disappointing to some interests from both the left and the right, but there remains much to like in the Blackburn-Welch legislation for lawmakers facing pressure at home for visible action in response to near-daily discovery of significant data breaches. The fact that the bill was voice voted out of the Subcommittee was a positive sign that both Democrats and Republicans continue to hold out hope for a broader consensus that may be reached through further negotiation. The bill will likely be marked up by the full Energy and Commerce Committee after Congress returns from its two-week April recess. A floor vote in the House soon after is also likely. The extent to which the two parties can further narrow their differences between now and then will serve as a good indication whether the bill is on track to the President's desk before the end of the year.