Communications Litigation Today was a service of Warren Communications News.
Consumers Left Vulnerable?

House Committee Passes Data Security and Breach Notification Act on Party-Line Vote

April 16, 2015 by Katie Rucke|Top News

On a party-line vote, HR-1770, the Data Security and Breach Notification Act, was passed by the House Commerce Committee Wednesday. Chairman Fred Upton, R-Mich., said during Wednesday’s markup that the legislation is “not quite ready,” but bipartisan amendments could be added before the bill is brought to the House floor next week. The bill’s co-author Rep. Peter Welch, D-Vt., voted against the bill being sent out of committee along with his Democratic colleagues after all proposed Democratic amendments were defeated.

Ranking member Frank Pallone, D-N.J., said he was concerned the bill was moving too fast, especially after Upton said HR-1770 eventually would be combined with House-backed cybersecurity legislation before being sent to the Senate. About 20 amendments to HR-1770 were proposed, most by Democrats.

An amendment by Rep. Adam Kinzinger, R-Ill., expanded the definition of what was considered personal information under the legislation, to include a username or email address, in combination with a password or security question and answer. That amendment passed with bipartisan support.

An amendment from Reps. Rep. Bobby Rush, D-Ill., and Jan Schakowsky, D-Ill., which was essentially the bill that Rush and Rep. Joe Barton, R-Texas, introduced and passed through the House six years ago, was defeated on a party lines. It would have given the FTC rulemaking authority to “flesh out details as criminals get more and more creative,” Pallone said. Barton supported the inclusion of the Rush-Schakowsky amendment to the measure and said the current bill “doesn’t go far enough.” Pallone said the amendment “strikes the right balance” between lessening burdens for companies and creating strong security standards.

Rep. Marsha Blackburn, R-Tenn., co-author of the legislation, encouraged opposition to the Rush-Schakowsky amendment, saying it would “inject confusion into the law” because it is too broad. Schakowsky said the amendment would give the FCC and FTC joint authority over telecommunications because the bill is much more narrowly focused than the Communications Act. Welch said he supported the amendment out of respect for the groundbreaking work Barton and Rush did, but said the bill is narrow to ensure highest likelihood it will pass. Legislation protecting geolocation doesn’t exist because “we don’t have consensus on many” privacy concerns, Welch said. The immediate problem that needs to be dealt with is criminals stealing and profiting from financial information, he said.

Rush said he didn’t want to have to tell his constituents that despite their concerns, emails and other data such as health records or credit reports wouldn't be protected, and protections given them under state law would be lessened. Barton was joined by Leonard Lance, R-N.J., in supporting the amendment, which was defeated 23-28.

Rep. Pete Olson, R-Texas, won support for an amendment capping civil penalties. Instead of fining first-time data breach offenders up to $100,000, Olson’s amendment would cap the civil penalties for Section 3 violations to $1,000 per violation. Section 2 violations were capped at $8.76 million. Pallone said he was concerned the amendment’s reduction in penalties would disincentivize companies from being vigilant in securing consumer information. Rep. Anna Eshoo, D-Calif., asked Olson how he determined the caps, to which Olson responded “President Obama.” Eshoo asked Olson to name a company that hasn’t survived paying a data breach penalty and said higher penalties send a strong message data breaches are serious violations.

Schakowsky opposed the amendment, saying companies are aware security standards are needed from the get-go, and disagreed companies shouldn't be heavily fined for a first violation. Rep. Kurt Schrader, D-Ore., said he supported the Olson amendment because it protects small businesses. Barton voted against the amendment, which ultimately passed on a party-line 30-20 vote.

Eshoo’s amendment that would make the 2003 California state data breach law the baseline for the federal legislation was defeated, along with an amendment from Rep. Jerry McNerney, D-Calif., that would require the U.S. Secret Service and the FBI to be notified in addition to state attorneys general when a breach occurs. Two amendments from Rep. Joseph Kennedy, D-Mass., dealing with broad pre-emption of state laws on unfair and deceptive act practices and state security common laws were also defeated.

A block of amendments from Rep. Tony Cárdenas, D-Calif., was withdrawn at Upton’s request for the sake of time. Upton promised Cárdenas’ amendments, which included a requirement for companies to provide breach information in a customer’s native language when asked, would be considered in bipartisan discussions on the legislation in the next week.

Blackburn won approval of a manager’s amendment that she said clarified the intent of the language of the bill. Pallone said the amendment left large gaps and did not protect telecommunications, cable and satellite users. Schakowsky expressed concern with the addition of the word “and” in the amendment saying companies would now have to determine a breach occurred and determine customer data was acquired before notifying consumers.

Barton introduced a block of five amendments and withdrew all but one technical amendment, with assurances from Upton the issues raised in the amendments would be discussed before the bill was brought to the floor. Barton’s technical amendment passed with bipartisan support.