House Panel OK's National Breach Notification BillAmendment to Allow States to Impose Stricter Security Requirements Fails
(This story has been updated.)
See Also: HIPAA Audits: A Revised Game Plan
The House Financial Services Committee, by a 46-9 vote, approved on Dec. 9 the Data Security Act of 2015, which would establish minimum security protections at businesses as well as create a national requirement for data breach notification.
HR 2205 would supplant 47 state laws with a single, national breach notification statute. Businesses generally support a single law because they contend it's burdensome to comply with various state laws.
During the panel's Dec. 8 debate on the legislation, Committee Chairman Jeb Hensarling, R-Texas, pointed out that the House Energy and Commerce Committee approved in April a similar bill, the Data Security and Breach Notification Act, so both panels would need to negotiate a final measure to present to the full House (see National Data Breach Notification Bill Advances). "This is really the beginning of the process," Hensarling said.
The legislation would establish a security regime its sponsors contend would secure sensitive financial account information and nonpublic personally identifiable information. The measure specifically identifies security controls organizations should adopt, including those involving access controls and restrictions, use of encryption of sensitive information and monitoring systems. The bill also directs businesses to require their third-party service providers to implement appropriate safeguards for sensitive information.
Several members said the legislation's processes could be better defined. One member, Rep. Denny Heck, D-Wash., complained that the legislation strips states' insurance commissioners, whom he maintains work smoothly together, of their powers to regulate security among insurers. The bill's sponsors, Reps. Randy Neugebauer, R-Texas, and John Carney, D-Del., conceded the measure could be improved and promised they'll work with members to strengthen the legislation before it reaches the House floor.
The most contentious part of the legislation would usurp laws in 12 states that require businesses operating in their jurisdiction to adopt specific IT security measures. An association of states' attorneys general have objected to that provision. Massachusetts Assistant Attorney General Sara Cable, testifying before Congress earlier this year, argued that preempting state laws "represents a significant retraction of existing protections for consumers at a time when such protections are imperative (see Barriers to a Breach Notification Law). Minimum data security standards are important and necessary, but the proposed standards leave consumers' data vulnerable."
The AGs' reservations about the bill prompted the committee's ranking member, Democrat Maxine Waters of California, to offer an amendment to allow states to provide more stringent security requirements. The panel defeated the amendment on a voice vote.
Carney said a number of experts who reviewed the bill agree that only Massachusetts among the dozen states had stronger data security provisions than those offered in the Data Security Act.
Neugebauer said the Data Security Act is aimed to prevent what Waters seeks: different security laws in different states. "The problem is if you start this down-the-road of one-upmanship where now everybody raises their standard ... then we're back where we started from and basically inhibiting the ability to have a national standard and not to impact commerce in a negative way," he said. "That's the beauty and the reason the Founders put the Commerce Clause in there. There are certain things that we need unified between these 50 states."
The Data Security Act is written to allow businesses in different sectors to adapt security measures to fit their specific businesses. Indeed, regulatory enforcement would be scattered among various agencies including the Federal Trade Commission, the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corp., the National Credit Union Administration, the Securities and Exchange Commission, the Commodity Futures Trading Commission, the Office of Federal Housing Enterprise Oversight and state insurance authorities.
Entities covered by the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act - HIPAA and HITECH, respectively - would be exempt from the Data Security Act provisions.
Bankers generally favor the Data Security Act because it's modeled on existing laws applicable to the smallest credit unions and largest banks, Steven Zeisel, executive vice president of the Consumer Bankers Association, wrote in an article published on TheHill.com. Zeisel contends the bill would apply security standards that are proportional to the type of information the business holds. "If a company is collecting your information to aid quicker check-outs or marketing, it should be held to a higher standard than one that is not," he says.
Retailers Voice Opposition
But that existing model that works for banks won't necessarily transfer to other businesses and would prove burdensome, Jennifer Safavian, an executive vice president at the Retail Industry Leaders Association, a trade group, says in a Dec. 8 letter sent to the committee's leaders. One provision she cites would require employees who touch sensitive account information, defined as a credit or debit card, to first pass a criminal background check.
"Haphazardly slapping rules that were written 15 years ago for the financial industry on retailers, restaurants and thousands of small businesses is not the kind of data security legislation that will safeguard our economy," Safavian says. "This is red tape masquerading as security."
The bill also specifically identifies security controls organizations should adopt, including those involving access controls and restrictions, use of encryption of sensitive information and monitoring systems. "Permanently codifying new standards will hinder efforts by retailers and other industries to adapt to an evolving threat landscape," Safavian says.
Privacy advocates and consumer protection groups contend the legislation would weaken consumer protections. In a Dec. 7 letter to the committee's leaders, a collection of 17 privacy and consumer protection groups wrote that the Data Security Act would squelch new and developing state laws that extend data security and breach notification protections to online account login information, including email accounts and cloud photo storage. The letter also says the legislation would eliminate virtually all avenues of redress for consumers. "If this bill were to pass, state attorneys general would be limited to seeking civil penalties and injunctive relief, even in cases where consumers suffer extensive harm as a result of a breach of highly sensitive information," the letter says. "This would provide harmed consumers with no relief."