Legislation to create a national data security and breach notification standard moved forward Wednesday over objections from Democratic lawmakers.
The House Energy and Commerce Subcommittee on Trade approved the bill by voice vote after a markup that saw five Democratic amendments rejected along party lines.
The measure would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach.
Violating the bill’s rules would subject companies to enforcement actions by the Federal Trade Commission (FTC).
Disagreements over the bill lie in its pre-emption of state data security and breach notification standards.
Several Democrats argued that the legislation, while saving companies the hassle of following separate state laws, would do away with stronger consumer protections at the state level.
Massachusetts Attorney General Maura Healey has criticized the legislation, saying it would “scale back our state’s essential safeguards against cybercrime.”
Noting Healey’s position, Rep. Joseph Kennedy (D-Mass.) offered two amendments to prevent the bill from pre-empting state data security requirements and pertinent common law. The changes lacked Republican support and did not pass.
Lawmakers are in a tricky position with the data breach bill, which has been touted by the White House.
Major interest groups and companies have called for a single breach notification standard that would allow them to avoid following a patchwork of state requirements.
Lawmakers have made several attempts to pass such legislation, but all of them failed to reach the finish line in the last Congress due to committee turf wars and objections by consumer advocates.
At the same time, the current measure is gaining more Democratic support. Reps. Tony Cárdenas (D-Calif.) and Dave Loebsack (D-Iowa) have both endorsed the bill in addition to Welch, a spokesman for the Vermont Democrat said.
The Trade subpanel approved a manager’s amendment to the bill containing technical changes, as well an amendment from Rep. Joe Pompeo (R-Kan.) and two from Cárdenas.
The amendments would require breached third-party vendors to notify affected consumers, and compel the FTC to educate small businesses about data security and maintain a related website.
— This post was updated at 2:48 p.m.