Bipartisan House lawmakers roll out data breach bill

A bipartisan pair of House lawmakers is rolling out draft legislation to protect people whose data may have been stolen by hackers.

"Until today, Washington has been asleep at the switch while millions of Americans have had their personal information stolen by cyber criminals,” Rep. Peter WelchPeter WelchDem lawmakers propose bill to regulate drone data collection Cummings: Trump commits to strong push for Medicare drug price negotiation Top Oversight Dem to meet with Trump about prescription drug prices MORE (D-Vt.), one of the authors of the Data Security and Breach Notification Act, said in unveiling the bill. “While this draft bill is far from perfect, it is an important step in the right direction.”

The new legislation from Welch and Rep. Marsha BlackburnMarsha BlackburnGOP rep: ObamaCare debate like trying get kids 'through bathtime' Senate on the verge of vote to kill FCC's consumer privacy protections Overnight Tech: Lawmakers spar over rural broadband | Twitter sees bump in government data requests | Bill Gates visits Capitol Hill MORE (R-Tenn.) would hold companies to a new national digital security standard that the authors claim is flexible enough not to restrain companies.

It would also require that companies who have been breached notify people whose data may have been stolen within 30 days, unless there isn’t a reasonable risk of identity theft of financial harm.

“As one of the tens of millions of Americans who has been a victim of a data breach I know firsthand the great importance of needing to protect our personal information from identity theft,” Blackburn said in a statement. “This bill will help enhance the security of sensitive information and provide much needed clarity by creating a national standard and ensure that consumers are notified of a breach without unreasonable delay.”

Violating the new bill’s rules would qualify as an unfair and deceptive practice subject to enforcement from the Federal Trade Commission and state attorneys general.

The legislation would not apply to companies already subject to other data protection laws — such as medical facilities, for instance — and would also not impact privacy law, the lawmakers said.

Legislators will consider the bill at a hearing in the Energy and Commerce Committee next on March 18.

Congress has long attempted to write a bill requiring companies notify people after a data breach, but the efforts have failed to get off the ground. Some Republican lawmakers have worried about an overly intrusive federal mandate, while Democrats have feared that legislation could preempt stronger protections that currently exist at the state level.