The House Energy and Commerce Committee approved a controversial bill creating national data security standards after a chaotic markup that revealed deep Democratic concerns about the measure.
The Data Security and Breach Notification Act appears headed for further changes prior to a vote by the full House. The committee approved it on a party-line vote of 29-20.
Ranking Member Rep. Frank Pallone (D-N.J.) called the legislation “deeply flawed.”
“I am very concerned,” he said. “I just think that this is moving much too quickly. There are a lot of changes that I think need to be made. I’m very concerned, particularly, about the preemption issue. All of these things need a lot of time and work … I would like to see the process slowed down.”
The bill from Reps. Marsha BlackburnMarsha BlackburnHouse votes to double budget for Planned Parenthood investigation Will Trump back women’s museum? The Hill's 12:30 Report MORE (R-Tenn.) and Peter WelchPeter WelchDems delay vote on picking leaders Left emboldened for post-Obama era Yahoo hack spurs push for legislation MORE (D-Vt.) is designed to replace the patchwork of state data security and breach notification laws.
Currently, companies that experience a data breach or hack must comply with a variety of requirements across the country. Lawmakers consider it a priority to at least streamline the requirement for consumer notification.
The presence of a national data security standard in the bill has caused problems from the beginning. Democrats and privacy groups argue that replacing stronger state laws will leave consumers vulnerable.
A series of Democratic amendments to make the standard more specific, to create a floor for data security requirements and to avoid a level of preemption failed. A manager’s amendment and a change capping federal penalties for some breached companies passed with support from Republicans, along with a handful of other amendments.
Republicans rejected the proposals by saying they are trying to keep the bill “narrowly tailored.” Chairman Fred Upton (R-Mich.) suggested that several Democratic changes would hamper the bill’s chances of passing the Senate.
“I say this with a smile — I don’t expect to [pass the bill under] suspension,” Upton said, referring to non-controversial measures that require a two-thirds majority vote on the House floor.
The legislation would require companies to maintain “reasonable security measures and practices” to protect consumer data, and to disclose breaches when there is a risk of consumer harm. The notification would be required to take place within 30 days of when a company determines the scope of a breach and restores their systems.
In a sign of the controversy surrounding the bill, its lead Democratic cosponsor ultimately voted against it after supporting an amendment from Rep. Bobby Rush (D-Ill.) that would significantly alter the measure’s approach.