Data Security Bill Shows More Momentum than Privacy Legislation in House
Data security legislation seems likely to move sooner through the House Commerce Committee than other privacy legislation, House lawmakers and aides said. But state preemption and other dicey issues could trip up a federal measure to protect consumers in data breaches, other lobbyists said. The Safe Data Act (HR-2577) by Rep. Mary Bono Mack, R-Calif., is slated to receive a markup this September in the House Commerce Committee, House officials said. Other privacy bills have stalled and it’s unclear when they will receive committee votes.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
"We hope to mark up Rep. Bono Mack’s bill in September,” her spokesman said. Rep. Cliff Stearns, R-Fla., told us he is “hopeful that privacy legislation could get done this year,” but it looks like Bono Mack’s subcommittee “will focus on data security legislation first.” It’s likely that a markup on Bono Mack’s data protection bill “will take place in September before more privacy hearings will be held,” Stearns said. He has a privacy bill (HR-1528) that hasn’t moved past Bono Mack’s subcommittee. A House Commerce Committee spokeswoman said the committee’s September schedule “has not yet been set."
Data security appears to be first up, given the recent spate of hacking, a House aide said. Bono Mack has taken ownership on data security and privacy, and has signaled that data is the priority, the aide said. In the Senate, the Commerce and Judiciary committees each have data security bills pending and are in the process of figuring out how to reconcile them, a Senate aide said. Sen. Tom Carper, D-Del., hopes that his Data Security Act (S-1434) “is considered as part of a broader cybersecurity bill later this year,” his aide said.
Bono Mack’s office is working on data security and privacy simultaneously, her spokesman said. “We have a lot of momentum now for passing a data security bill but we're not losing sight of the broader privacy issue either.” Data breach is very much on the minds of legislators, he said: “There is a growing number of lawmakers on both sides of the aisle who recognize that data breach is becoming much more frequent and consumers need to have some important safeguards in place.” Congress has introduced seven data protection bills since the data breaches at Sony and Epsilon this spring.
Privacy bills not focused on data security have seen little movement lately. Bono Mack’s subcommittee has not voted on the Stearns bill or do-not-track bills by Reps. Ed Markey, D-Mass. (HR-1895), and Jackie Speier, D-Calif. (HR-654). A separate privacy bill by Speier related to financial institutions (HR-653) is pending in a House Financial Services subcommittee. A location privacy bill (HR-2168) by Rep. Jason Chaffetz, R-Utah, is pending in the House Judiciary Subcommittee on Crime and the Permanent Select Committee on Intelligence. Pending before Senate Commerce is a do-not-track bill (S-913) by Chairman Jay Rockefeller, D-W.Va., and a commercial privacy bill by Senate Communications Subcommittee Chairman John Kerry, D-Mass. At the Senate Judiciary Committee are location privacy bills by Sen. Al Franken, D-Minn. (S-1223), and Ron Wyden, D-Ore. (S-1212), and an update to the Electronic Communications Privacy Act (ECPA) by Chairman Patrick Leahy, D-Vt.
Markey and HR-1895’s cosponsor Rep. Joe Barton, R-Texas, are looking for more co-sponsors and holding meetings with stakeholders, a Markey spokeswoman told us. Markey and Barton are co-chairs of the Congressional Privacy Caucus and hope to have a public briefing -- the caucus equivalent of a committee hearing -- on their bill this fall, she said. Chaffetz plans to make his location privacy bill a priority and hopes to have a hearing on it in the House Judiciary Committee this fall, a House GOP aide said. Leahy is continuing to work with other senators on his ECPA and data security bills, but the Judiciary Committee’s fall markup schedule isn’t set, his spokeswoman said.
There’s a better-than-even chance Congress will pass some type of data breach legislation by the end of the 112th Congress and 2012, but it’s less likely they'll finish work on the other privacy issues, a Republican telecom lobbyist said. Bono Mack’s bill faces opposition from House Commerce Democrats who think the bill is too friendly to industry, but the Senate Commerce Committee’s data protection bill by Rockefeller and Sen. Mark Pryor, D-Ark., is not worded much differently, the lobbyist said. “Data protection appears to have a path forward given the consensus that’s been building,” MF Global analyst Paul Gallant said. “But online privacy seems to have stalled out after some progress earlier this year.”
Some lobbyists think privacy legislation will move before data security. The appetite for privacy legislation is high, said Lisa Sotto, a privacy and information management attorney at Hunton & Williams. “We have seen more serious privacy bills in Congress this session than ever before.” Kerry’s bill seems to be seriously monitored, she said. It was “heavily negotiated before it was issued, so there was a lot of behind the scenes discussion,” she said. Although it’s still an uphill battle for anything to get passed, “something on privacy may have a better opportunity,” said Brad Thaler, legislative affairs vice president at the National Association of Federal Credit Unions.
The data security measures could be held up as Congress decides on how best to handle state preemption, Sotto said. There also are questions on the harm threshold in a data breach law, she said: “Would the law be triggered without there being a significant risk of harm as a result of a security incident?” Some legislation is very complex and “will require a significant amount of work to get to a position where the bill will be palatable,” she added. Any ultimate solution for data security legislation will likely be comprehensive, Thaler said. “You have a number of different committees looking at the security bills.” Passing one is probably a long way off, he added: “I think we're probably looking into the next Congress.” A new massive data breach incident could speed things up, he said.
Bills concerning cybersecurity and data retention put some reform of ECPA into play, the Center for Democracy and Technology said. “It’s clear that there are other bills under consideration that relate to ECPA reform,” like the Obama administration’s cybersecurity proposal, said James Dempsey, public policy vice president. It’s only logical that if legislation expanding government power is considered, “there should also be some countervailing checks and balances on the government’s authority,” he said. CDT is part of the Digital Due Process Coalition that has met with agencies and the White House to urge ECPA reform . Cybersecurity would probably have priority, “but it’s been difficult to move anything of substance in this Congress,” including ECPA, said Jay Stanley, a director of the ACLU Technology and Liberty Program. With many moving parts, he said, “it could be held hostage due to some small issue.”