Draft of Breach Notification Bill CriticizedSponsor Bono Mack Praises Bill as Response to Recent Breaches
"Overall, this draft is not balanced," Rep. Henry Waxman, D-Calif., said at a hearing Wednesday on the measure. "It gives businesses too many protections and consumers not enough. It preempts strong state laws and replaces them with a weak federal one."
The draft's sponsor, Rep. Mary Bono Mack, R-Calif., didn't agree, saying the SAFE Data Act builds on legislation passed by the House in 2009 but never acted upon in the Senate. "Most importantly," she said, "it reflects the changing landscape of data breaches and data security since that time."
In testimony before the House Commerce and Energy Subcommittee on Commerce, Manufacturing and Trade, chaired by Bono Mack, Commissioner Edith Ramirez of the Federal Trade Commission endorsed the draft.
Bono Mack in her opening statement, said the final version will likely change before a vote is taken, calling the draft "our opening shot."
That's something Waxman hopes happens. Saying some provisions in the draft strengthen earlier legislation - such as a new provision to require companies to have plans to minimize the personal data they retain on individuals - other changes weaken the bill.
For instance, Waxman contended that the April breach of Sony PlayStation that exposed the personal information of 77 million customers would not have required consumer notification under the draft provisions.
And he said banks get off too easily. "This draft creates an uneven playing field with potentially stronger data security and breach notification requirements for retailers than for nonbank financial institutions," Waxman said. "There is no reason why financial institutions should be subject to smaller penalties for violations than retailers."
In prepared remarks, the FTC's Ramirez expressed support for the draft's provisions that authorizes the use of standard notice and comment procedures rather than a more burdensome rulemaking process under the FTC Act. That, Ramirez said, would allow the FTC to promulgate rules more timely and efficiently.
The commissioner also said the FTC supports provisions authorizing the agency to obtain civil penalties for violations. "Civil penalties are particularly important in areas such as data security, where the commission's traditional equitable remedies - including consumer restitution and disgorgement - may be impractical or not optimally effective," she said.
Ramirez said the FTC supports the draft's provisions that would authorize the commission to sue non-profit entities for data security violations. She also noted a recent FTC staff report that takes the same position as the draft that data minimization is an important component of data security.
Mack Bono said the draft would require:
- Companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.
- The notification of law enforcement within 48 hours after discovery of a breach, unless that breach was an innocent or inadvertent breach unlikely to result in harm.
- Organizations to begin notifying consumers 48 hours after taking steps to prevent further breach and determining who has to be notified.
The SAFE Data Act also would give the FTC authority over non-profits for purposes of breach notification. "These organizations often posses a tremendous amount of consumer information, and they have been subjected to numerous breaches in the past," she said. "At the same time, we want to work with those affected, as well as the FTC, to make sure any new regulations are not burdensome for small businesses, especially during these difficult economic times."
In addition, the draft would grant the FTC authority to write rules that take into account the size and nature of the data that is being held online. "Clearly," Bono Mach said, "there are obvious differences between information brokers and local retail businesses and the rules should reflect those differences."
The proposed legislation also would require all covered businesses to establish a data minimization plan providing for the elimination of consumers' personal data that is no longer necessary for business purposes or for other legal obligations.
And, it would preempt similar laws in 47 different states to create uniform national standards for data security and data breach notification.