Controversial data breach bill passes House committee

Controversial data breach bill passes House committee
© Getty Images

The House Energy and Commerce Committee approved a controversial bill creating national data security standards after a chaotic markup that revealed deep Democratic concerns about the measure. 

The Data Security and Breach Notification Act appears headed for further changes prior to a vote by the full House. The committee approved it on a party-line vote of 29-20. 

Wednesday’s markup exposed a rift between Energy and Commerce members on key matters, including whether the bill should preempt stronger consumer data protections at the state level. 

Ranking Member Rep. Frank Pallone (D-N.J.) called the legislation “deeply flawed.” 

“I am very concerned,” he said. “I just think that this is moving much too quickly. There are a lot of changes that I think need to be made. I’m very concerned, particularly, about the preemption issue. All of these things need a lot of time and work … I would like to see the process slowed down.” 

The bill from Reps. Marsha BlackburnMarsha BlackburnTrump circuit court nominee in jeopardy amid GOP opposition Progressive freshmen jump into leadership PAC fundraising On The Money: US paid record .1B in tariffs in September | Dems ramp up oversight of 'opportunity zones' | Judge hints at letting House lawsuit over Trump tax returns proceed MORE (R-Tenn.) and Peter WelchPeter Francis WelchImpeachment hearing breaks into laughter after Democrat contrasts it to Hallmark movie Diplomat ties Trump closer to Ukraine furor Impeachment hearing breaks into laughter after Democrat invites Trump to testify MORE (D-Vt.) is designed to replace the patchwork of state data security and breach notification laws. 

Currently, companies that experience a data breach or hack must comply with a variety of requirements across the country. Lawmakers consider it a priority to at least streamline the requirement for consumer notification. 

The presence of a national data security standard in the bill has caused problems from the beginning. Democrats and privacy groups argue that replacing stronger state laws will leave consumers vulnerable. 

A series of Democratic amendments to make the standard more specific, to create a floor for data security requirements and to avoid a level of preemption failed. A manager’s amendment and a change capping federal penalties for some breached companies passed with support from Republicans, along with a handful of other amendments. 

Republicans rejected the proposals by saying they are trying to keep the bill “narrowly tailored.” Chairman Fred Upton (R-Mich.) suggested that several Democratic changes would hamper the bill’s chances of passing the Senate. 

“I say this with a smile — I don’t expect to [pass the bill under] suspension,” Upton said, referring to non-controversial measures that require a two-thirds majority vote on the House floor. 

The legislation would require companies to maintain “reasonable security measures and practices” to protect consumer data, and to disclose breaches when there is a risk of consumer harm. The notification would be required to take place within 30 days of when a company determines the scope of a breach and restores their systems. 

In a sign of the controversy surrounding the bill, its lead Democratic cosponsor ultimately voted against it after supporting an amendment from Rep. Bobby Rush (D-Ill.) that would significantly alter the measure’s approach.