Controversial data breach bill passes House committee

Controversial data breach bill passes House committee
© Getty Images

The House Energy and Commerce Committee approved a controversial bill creating national data security standards after a chaotic markup that revealed deep Democratic concerns about the measure. 

The Data Security and Breach Notification Act appears headed for further changes prior to a vote by the full House. The committee approved it on a party-line vote of 29-20. 

Wednesday’s markup exposed a rift between Energy and Commerce members on key matters, including whether the bill should preempt stronger consumer data protections at the state level. 

Ranking Member Rep. Frank Pallone (D-N.J.) called the legislation “deeply flawed.” 

“I am very concerned,” he said. “I just think that this is moving much too quickly. There are a lot of changes that I think need to be made. I’m very concerned, particularly, about the preemption issue. All of these things need a lot of time and work … I would like to see the process slowed down.” 

The bill from Reps. Marsha BlackburnMarsha BlackburnTrump backs Blackburn's Tennessee Senate bid Corker won’t campaign against Democrat running for Tennessee Senate seat GOP Senate hopefuls race to catch up with Dems MORE (R-Tenn.) and Peter WelchPeter Francis WelchHouse Democrats call for FBI to probe Kushner's ties to Saudi crown prince Lawmakers renew call for end to 'black budget' secrecy So-called ‘Dem’ ethanol bill has it all wrong MORE (D-Vt.) is designed to replace the patchwork of state data security and breach notification laws. 

Currently, companies that experience a data breach or hack must comply with a variety of requirements across the country. Lawmakers consider it a priority to at least streamline the requirement for consumer notification. 

The presence of a national data security standard in the bill has caused problems from the beginning. Democrats and privacy groups argue that replacing stronger state laws will leave consumers vulnerable. 

A series of Democratic amendments to make the standard more specific, to create a floor for data security requirements and to avoid a level of preemption failed. A manager’s amendment and a change capping federal penalties for some breached companies passed with support from Republicans, along with a handful of other amendments. 

Republicans rejected the proposals by saying they are trying to keep the bill “narrowly tailored.” Chairman Fred Upton (R-Mich.) suggested that several Democratic changes would hamper the bill’s chances of passing the Senate. 

“I say this with a smile — I don’t expect to [pass the bill under] suspension,” Upton said, referring to non-controversial measures that require a two-thirds majority vote on the House floor. 

The legislation would require companies to maintain “reasonable security measures and practices” to protect consumer data, and to disclose breaches when there is a risk of consumer harm. The notification would be required to take place within 30 days of when a company determines the scope of a breach and restores their systems. 

In a sign of the controversy surrounding the bill, its lead Democratic cosponsor ultimately voted against it after supporting an amendment from Rep. Bobby Rush (D-Ill.) that would significantly alter the measure’s approach.