Communications Litigation Today was a service of Warren Communications News.
Us vs. Them

Markup for Bipartisan Data Security, Breach Notification Draft Turns Into Partisan Affair

March 26, 2015 by Katie Rucke|Top News

Present members of the House Commerce, Manufacturing and Trade Subcommittee unanimously accepted four bipartisan amendments during Wednesday’s markup of the Data Security and Breach Notification Act draft following last week’s hearing (see 1503180053). The Republican-led subcommittee declined to adopt any amendments proposed solely by Democratic members.

Despite objections from Democratic members, the bill is moving forward and expected to be considered by the full Commerce Committee next month. CEA hailed the subcommittee's action Wednesday as a "win-win" because it will protect consumers "while giving businesses the flexibility to innovate." CEA thinks a "uniform, nationwide standard, as proposed in this bill, will ensure that consumers everywhere -- regardless of state lines -- have the information they need to mitigate potential damage and protect their identities, while making it easier for businesses to protect their customers," President Gary Shapiro said in a Wednesday statement. The bill would replace "the patchwork of state and federal data security laws that is conflicting, inconsistent and confusing," Shapiro said. The subcommittee's action means "we are now one step closer to having one federal standard that will uniformly protect consumers from data breaches,” he said.

Whether the bipartisan draft introduced by Chairman Michael Burgess, R-Texas, Rep. Marsha Blackburn, R-Tenn., and Rep. Peter Welch, D-Vt., adequately protects consumers was questioned during Wednesday’s markup and during the opening statements for the markup session, which began Tuesday.

FCC Public Safety Bureau Chief Counsel-Cybersecurity Clete Johnson raised concerns during the markup about whether information such as how many calls a person has made, what time of day the call occurred, who was called, whether the individual has caller ID, call waiting and what TV shows an individual watched would be protected, as the FCC would no longer have authority under the draft. The FTC would take over for the FCC, but in areas where the FCC formerly had authority, the authority granted to the FTC would be less than was given to the FCC, Johnson said.

All four amendments accepted Wednesday were bipartisan. The first was proposed by Burgess and Welch, and clarified the bill's language about who's covered, Burgess said. Welch clarified with counsel that the bill wouldn't pre-empt state laws on privacy and whether the bill had anything to do with the FCC open Internet order. The amendment was unanimously accepted. The second amendment proposed and unanimously accepted was by Rep. Mike Pompeo, R-Kan., and Welch. The amendment clarified third-party notice provisions when a data breach occurs. Pompeo said outstanding concerns remain with this part of the bill.

Rep. Tony Cárdenas, D-Calif., and Blackburn, introduced two amendments, one of which would require the FTC to establish and maintain a website with nonbinding best practices for businesses for data security and how to prevent hacking and other unauthorized access to or use of data. The other would require the FTC to do education and outreach on data security practices and how to prevent hacking for small businesses. Both were unanimously approved by subcommittee members. The sole Republican to introduce a partisan amendment, Pompeo, withdrew his amendment.

Rep. Yvette Clarke, D-N.Y., introduced an amendment that would have given the FTC rulemaking authority to modify the definition of “personal information.” Clarke said the definition in the current draft of personal information is “too narrow” and fails to include health and medical information, which she said appears to have become more valuable than credit card information. Burgess objected to Clarke’s amendment, saying there's nothing in the draft that revokes Congress’ ability to change what constitutes personal information. Ranking member Jan Schakowsky, D-Ill., supported the Clarke amendment, noting that in 2009 Congress didn’t include geolocation information as personal information and the Health Insurance Portability and Accountability Act doesn’t cover many things such as health products purchased online or at a pharmacy. Rep. Frank Pallone, D-N.J., also supported the Clarke amendment, saying the current limited definition of personal information could hurt efforts to protect consumers because the bill was not only narrow, but pre-empted stronger state laws. Clarke’s amendment failed to pass, with subcommittee members voting along party lines 7-12.

Rep. Bobby Rush, D-Ill., introduced two amendments. The first would allow the FCC to continue to regulate telecom providers, voice over Internet, and cable and satellite service providers. Burgess took issue with the amendment, saying the draft isn't a privacy bill. Rush interjected during Burgess’ five minutes saying he recognizes this isn't a privacy bill, but if passed as is, the bill would prevent the FCC from enforcing privacy protections because it’s nearly impossible to separate data security from privacy. Schakowsky and Pallone backed the amendment, which failed in a partisan 7 to 12 vote.

Rush’s second amendment would have amended the Communications Act to include data security and breach notification to ensure consumers are notified when a breach occurs. If the bill is adopted as is, “we have left the American consumer open, not protected at all,” Rush said, encouraging colleagues on both sides of the aisle to vote in favor of his amendment. Burgess objected to broadband providers being tasked with the responsibility to monitor networks and notify victims when a breach occurred. Schakowsky and Pallone backed Rush’s second amendment, which also failed to pass.

Rep. Joseph Kennedy, D-Mass., also proposed two amendments. The first would have allowed stronger state laws to pre-empt the federal law on standards of breach security, while allowing creation of a federal standard for data breach notification. Rep. Pete Olson, R-Texas, said he didn’t support the amendment because it would create multiple standards for data breach notifications and confuse those the bill aimed to help. Kennedy clarified the bill wouldn’t create an additional standard and was supported by Schakowsky and Pallone, who said the amendment would allow state attorneys general to continue to protect consumers without having to rely on consumer complaints or news reports. The amendment failed on a vote of 7-11.

The second amendment Kennedy proposed would have clarified the conflicting language in Section 6A and 6B of the draft to ensure there were common law protections for consumers. Schakowsky, Pallone and Rush backed Kennedy’s amendment. Burgess disagreed with the need for the amendment and said pre-emption is important for consumers and businesses, and held up two poster boards with bar graphs displaying how consumers across the nation “will be better served and protected by the draft.” The amendment failed to pass on another partisan vote.