House Democrat pushes new data breach bill

House Democrat pushes new data breach bill
© Greg Nash

Rep. David Cicilline is trying to restart the stalled debate on legislation that would require companies to tell customers they have been hacked.

On Tuesday, the Rhode Island Democrat introduced a House companion bill to Sen. Patrick LeahyPatrick Joseph LeahyLawmaker wants Chinese news outlet to register as foreign agent Overnight Defense: Book says Trump called military leaders 'dopes and babies' | House reinvites Pompeo for Iran hearing | Dems urge Esper to reject border wall funding request Senate Dems urge Esper to oppose shifting Pentagon money to border wall MORE’s (D-Vt.) Consumer Privacy Protection Act.


Like numerous other Senate and House offerings, the bill mandates that companies inform customers within 30 days of a data breach and that they meet minimum security standards.

But unlike several other measures, Cicilline’s bill would not pre-empt stricter state-level data breach laws, a sticking point for Republicans and Democrats. That element of the bill is a major reason Cicilline’s measure is preferred by consumer advocates and digital rights groups.

“I see this as an important baseline,” Cicilline told The Hill in an interview. “States are the places where very often great innovation in this area is happening. We want to encourage that, but at the same time, we want to make sure there’s a baseline for all consumers.”

But it’s also those state laws that have spurred legislators to seek a federal standard. With 47 different local rules, companies say they are struggling to comply with the patchwork of regulations.

As businesses are hacked at a rapidly increasing rate, they have upped the pressure on Congress to lighten the regulatory burden faced in the wake of a digital intrusion.

Mammoth data breaches at Target, Home Depot, JPMorgan and Anthem, among many others, have also put hundreds of millions of Americans’ private data at risk and spurred calls for action.

“We all have constituents who have great anxiety about their personal information being out there,” Cicilline said.

However, Congress has not yet been able to pass a major anti-hacking bill.

“The more the public hears about these breaches, the more they experience the effects of them, the more they’re going to put pressure on their elected officials in Congress,” Cicilline said. “I’m going to work hard to capture and build on that momentum.”

Cicilline will be vying with other House members to harness that momentum.

Reps. Randy NeugebauerRobert (Randy) Randolph NeugebauerCordray announces he's leaving consumer bureau, promotes aide to deputy director GOP eager for Trump shake-up at consumer bureau Lobbying World MORE (R-Texas) and John Carney (D-Del.) in early May introduced their own data breach bill as a companion to a Senate offering from Sens. Tom CarperThomas (Tom) Richard CarperTrump's latest water policy exposes sharp divides Democrats ask if US citizens were detained at border checkpoints due to Iranian national origin Democrats, greens blast Trump rollback of major environmental law MORE (D-Del.) and Roy BluntRoy Dean BluntSekulow indicates White House not interested in motion to dismiss impeachment articles Nadler gets under GOP's skin Grassley signs USMCA, sending it to Trump's desk MORE (R-Mo.). Neugebauer chairs the House Financial Services Financial Institutions and Consumer Credit Subcommittee, and the financial industry quickly came out in favor of his measure.

Reps. Peter WelchPeter Francis WelchProviding more information on the prescription drug supply chain will help lower costs for all Impeachment hearing breaks into laughter after Democrat contrasts it to Hallmark movie Diplomat ties Trump closer to Ukraine furor MORE (D-Vt.) and Marsha BlackburnMarsha BlackburnMarsha Blackburn shares what book she's reading during Trump Senate trial Taylor Swift talks politics, her new song: 'I wrote it after the midterm elections' GOP senator: 2020 candidates must recuse themselves from impeachment trial MORE (R-Tenn.) had previously backed their own bipartisan offering. But Democrats pulled support at the last minute during an Energy and Commerce Committee markup in April. Although the measure was approved along party lines, it did not get a floor vote.

Cicilline said his bill has only Democratic co-sponsors lined up for now, reflecting Leahy’s upper chamber offering, which has the support of five progressive Democrats.

“I do think there’s a coalition that will develop between progressives and some people who are more conservative but assign a deep value to respecting the privacy of individuals,” Cicilline said.

In April, the Rhode Island Democrat voted against the House’s two complementary bills that would boost the public-private exchange of cyber threat data. The votes put him to the left of centrist Democrats on some data security issues and aligned him with privacy advocates, who worried the measures would simply shuttle more personal data to the National Security Agency.

Portions of Cicilline’s data breach bill reflects this position.

It provides the broadest definition of what is considered private information. In addition to data that could lead to financial fraud — banking information, Social Security numbers — the bill counts data that could lead to “dignity harm,” such as personal photos and videos.

“Things which may not result in financial loss but can impose great harm to people if shared widely with the public,” Cicilline explained.

The bill would also create civil penalties for companies failing to comply with the standards.

Civil penalties have been a tough sell for Republicans, who are worried about giving too much power to federal regulators.

Cicilline conceded that he had work to do winning over the GOP. But he maintained that public pressure will eventually force Congress to act, hopefully by the end of the year.

“This is not a complicated bill to understand,” he said. “It’s not going to require lots of study.”