Republicans pushed a data security bill through a House subcommittee Wednesday despite complaints from Democrats that the measure does not do enough to protect consumer privacy.
The Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic (SAFE) Data Act in a voice vote. The measure will now move to the full Energy and Commerce Committee for consideration.
The bill, sponsored by subcommittee Chairman Mary Bono Back (R-Calif.), would establish a national standard for when companies are required to notify consumers that their personal information has been hacked.
“It’s time for Congress to take decisive action,” Bono Mack said. “Sophisticated and carefully orchestrated cyber-attacks — designed to obtain personal information about consumers, especially when it comes to their credit cards — have become one of the fastest growing criminal enterprises here in the United States and across the world.”
The bill would require companies to notify consumers within 48 hours of discovering their information was breached, and gives the FTC authority over nonprofits for the purposes of the bill.
Additionally, the measure would require companies that have access to people’s personal information to maintain security standards to prevent a breach.
The House approved a similar data protection measure under Democratic control in 2009, but the bill died in the Senate.
The sticking point for lawmakers on Wednesday was the bill’s definition of “personal information.”
Rep. Henry Waxman (D-Calif.) said, “Perhaps the biggest loophole is the bill’s definition of ‘personal information.' Under the current version of the bill, most personal information stored online or in company databases is not protected.”
Democrats offered a series of amendments to expand the definition of “personal information” to include protections for photographs and videos, records of video and book rentals and records of over-the-counter drug purchases, including pregnancy tests.
Rep. G.K. Butterfield (D-N.C.) offered an amendment to require phone companies to notify subscribers if data — including the location of children — is breached.
Those amendments did not pass. The only Democratic amendment that the committee approved was a minor one from Rep. Bobby Rush (D-Ill.) to change the bill’s language from “such personal information” to “data containing personal information.”
Republicans argued that the purpose of the bill is to protect consumers’ financial data from identity theft — not general privacy issues.
“I have respect for many of the amendments offered by my colleagues on the other side of the alley,” Rep. Charlie Bass (R-N.H.) said. “But where does it end?”
Bass and other Republicans said that concerns over private data should be addressed in separate legislation.
Waxman, however, argued that the SAFE Data Act would pre-empt state laws protecting privacy.
“This bill eliminates scores of state consumer protections without putting equivalent or stronger federal protections in their place,” Waxman said.
The committee approved an amendment from Rep. Pete Olson (R-Texas) and Rep. Marsha Blackburn (R-Tenn.) to restrict the FTC’s ability to expand the definition of personal information through its rulemaking process.
By 9 to 10, the panel narrowly rejected Rush’s motion to substitute the entire bill with his measure that passed the House in 2009. Rep. Joe Barton (R-Texas) voted with Democrats.
Bono Mack defended her changes to the Democratic version of the bill.
“Yes, we passed it out of the House a couple of times, to go nowhere,” she said. “Every bill in this Congress deserves a fresh look. The American people deserve that.”
The session began acrimoniously when Waxman objected to skipping the reading of the bill, requiring the clerk to read the entire 32-page bill aloud.
“We are sending a signal,” Waxman said.
He withdrew his objection part of the way through the reading when committee Chairman Fred Upton (R-Mich.) rescheduled a separate subcommittee hearing to allow members to attend both.