A bipartisan pair of House lawmakers is rolling out draft legislation to protect people whose data may have been stolen by hackers.
"Until today, Washington has been asleep at the switch while millions of Americans have had their personal information stolen by cyber criminals,” Rep. Peter WelchPeter Francis WelchDemocrats weigh changes to drug pricing measure to win over moderates Schumer feels heat to get Manchin and Sinema on board Failed drug vote points to bigger challenges for Democrats MORE (D-Vt.), one of the authors of the Data Security and Breach Notification Act, said in unveiling the bill. “While this draft bill is far from perfect, it is an important step in the right direction.”
The new legislation from Welch and Rep. Marsha BlackburnMarsha BlackburnSenate approves short-term debt ceiling increase Hillicon Valley — Presented by American Edge Project — Facebook experiences widespread outage Four big takeaways from a tough hearing for Facebook MORE (R-Tenn.) would hold companies to a new national digital security standard that the authors claim is flexible enough not to restrain companies.
It would also require that companies who have been breached notify people whose data may have been stolen within 30 days, unless there isn’t a reasonable risk of identity theft of financial harm.
“As one of the tens of millions of Americans who has been a victim of a data breach I know firsthand the great importance of needing to protect our personal information from identity theft,” Blackburn said in a statement. “This bill will help enhance the security of sensitive information and provide much needed clarity by creating a national standard and ensure that consumers are notified of a breach without unreasonable delay.”
Violating the new bill’s rules would qualify as an unfair and deceptive practice subject to enforcement from the Federal Trade Commission and state attorneys general.
The legislation would not apply to companies already subject to other data protection laws — such as medical facilities, for instance — and would also not impact privacy law, the lawmakers said.
Legislators will consider the bill at a hearing in the Energy and Commerce Committee next on March 18.
Congress has long attempted to write a bill requiring companies notify people after a data breach, but the efforts have failed to get off the ground. Some Republican lawmakers have worried about an overly intrusive federal mandate, while Democrats have feared that legislation could preempt stronger protections that currently exist at the state level.