Lawmakers Float Concerns about Bono Mack Data Protection Bill
A data protection draft bill took shots from the left and the right at a hearing Wednesday of the House Commerce Subcommittee on Manufacturing and Trade. Senior Democrats said the draft by Chairwoman Mary Bono Mack, R-Calif., removed key consumer protection provisions from last Congress’ DATA Act proposal. Rep. Cliff Stearns, R-Fla., said he saw Bono Mack’s version as an overreaction to recent breaches of Sony and Epsilon. But both sides said they hoped to reach consensus.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Bono Mack “fully intend[s] to have a bipartisan product,” she said at the hearing, and to later do separate privacy legislation addressing broader issues. Bono Mack told reporters she wants to mark up her data bill and pass it through the full House before the August recess, but she hasn’t yet talked to House leadership about the floor schedule. Bono Mack said her bill builds on the DATA Act that passed the House in 2009 but never moved in the Senate. “It’s an upgraded, 2.0 version of data security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon.” The draft bill surfaced earlier this week (WID June 14 p6).
But subcommittee members squabbled over the bill’s details. “This draft is not balanced,” said Commerce Committee Ranking Member Henry Waxman, D-Calif. “It gives businesses too many protections and consumers not enough. It preempts strong state laws and replaces them with a weak federal one.” But Waxman applauded the addition of language to minimize the amount of data that entities may keep. Stearns said the bill might go too far in some areas, including giving the FTC power to define what data companies should and should not keep.
"I think that [Bono Mack] should have started with my legislation, which has bipartisan support, as a base in developing her bill,” Stearns said before the hearing. Stearns recently reintroduced his data protection legislation from the 109th Congress. “I see her bill as a reaction to a specific incident when the focus should be on addressing the general data security issues that have occurred since I was the panel’s chairman in 2005. I look forward to working with her on this bill and I will likely offer amendments that I think would improve it."
The draft bill might delay notification to consumers, Waxman said. The draft would require covered entities to notify consumers 48 hours after they assess the nature and scope of a breach, take steps to prevent future breaches and restore integrity of the data system. But the bill does not set deadlines for the three steps preliminary to the 48-hour shot clock, Waxman said. Waxman also is concerned that the bill deletes additional protections covering information brokers, and makes it difficult for the FTC to modify the definition of personal data, he said. The bill “creates an uneven playing field” by applying tougher requirements to retailers than non-bank financial institutions, he said. And Waxman disagrees with a provision exempting public records held by local governments.
Companies should notify consumers “as soon as practically possible,” said Democratic FTC Commissioner Edith Ramirez. As an outer limit, 60 days may make sense, but sooner is better, she said. Setting a limit is difficult because response time may depend on circumstances, she said. Ramirez dismissed concerns that the proposed notification law could result in “overnotification” that might desensitize consumers. The “greater danger” would be for consumers not to receive adequate notice, she said.
All entities that hold consumers’ personal information should be covered by legislation, Ramirez said. “If they collect information about a consumer, they ought to be covered,” she said. Public records, if personal, should be protected, she said. The draft bill’s definition of personal may be too narrow, she said. It focuses on financial related information, but not, for example, health data that isn’t protected under the Health Insurance Portability and Accountability Act, Ramirez said. Also, the FTC’s ability to update the definition of personal information could be hamstrung if the agency is held to a vague requirement that the change may not impede innovation, she said.
The FTC on a bipartisan basis supports “legislation that would require companies to implement reasonable data security policies and procedures and, in the appropriate circumstances, provide notification to consumers when there is a security breach,” Ramirez said in written testimony. Ramirez praised the draft for giving the FTC rulemaking authority with standard notice and comment procedures, and for giving the agency power to collect civil penalties for violations. The FTC also supports legislative language authorizing it to sue nonprofit entities for data security violations, and the FTC agrees that data minimization is important, Ramirez said.
Bono Mack is open to revising her bill to address concerns voiced by other members at the hearing, Bono Mack told reporters afterward. For example, Waxman’s concern about notification potentially “slipping into eternity” is something “we need to kick around a little bit,” she said. The point of releasing a draft was to encourage people to express their opinions, she said.