Data security legislation moved forward in the U.S. House of Representatives last week after Democrats lost a hard-fought battle to insert a number of consumer protections into the industry-backed bill, portending a contentious path to passage.
At the heart of the debate is how much it will cost American businesses to comply with federal legislation protecting the data they collect and maintain. With nearly half of the states enforcing their own data breach notification laws, it likely would be more cost-effective to comply with a single national law—unless the national law were tougher.
Rep. Joe Barton, R-Texas, chairman of the House Committee on Energy and Commerce, said he plans to push the Data Accountability and Trust Act forward quickly after last weeks 13-8 approval of the measure by the Subcommittee on Commerce, Trade and Consumer Protection.
Complaining that Republicans were rushing to get the bill approved before working out important details, Reps. Jan Schakowsky, D-Ill., and Ed Markey, D-Mass., offered more than a dozen amendments. Schakowsky and Markey were most critical of the bills standard for notification, which requires a company to inform consumers of a breach only when the company determines there is a significant risk of identity theft, fraud or other unlawful behavior.
Calling the leaderships bill "a slap in the face to the millions of American consumers who have had their personal information breached this year," Schakowsky said that under the bills standard nobody would have been notified of the many well-publicized breaches that have taken place in recent months.
Democrats sought provisions that would require companies to notify a federal agency each time personal information is compromised, maintain an audit trail to track how breaches occur, allow consumers to inspect personal information held by data brokers and correct it if it is erroneous, and give states powers to enforce the law.
Markey also sought restrictions on selling Social Security numbers and on the practice of transferring personal information to overseas databases. Thirteen of the 20 countries that receive the bulk of U.S. data, including Pakistan, Bangladesh, Thailand and Brazil, do not have adequate data protection laws, he said.
In an attempt to mollify Democrats, Rep. Cliff Stearns, R-Fla., chairman of the subcommittee, made a number of changes to the bill, which he had introduced, and said broader privacy legislation will be taken up next year.
"I believe quick passage [of the data security bill] is necessary to take that first step," Stearns said. "This bill is the beginning of a long process."
Many in industry support the Stearns bill and the effort to address security and privacy concerns in separate legislation. Dan Burton, top lobbyist for security vendor Entrust Inc., said the bills security requirements and its threshold for notification are appropriate. Because of the growing number of state bills, its important for Congress to act soon, Burton said.
"The steady drumbeat of the states is continuing," he said from Washington. "The states are getting tougher and tougher."