Data breach notification is a hot issue in Washington, DC, with multiple bills introduced in Congress. On April 14, 2015, Representatives Marsha Blackburn (R-TN) and Peter Welch (D-VT) introduced H.R. 1770, the Data Security and Breach Notification Act of 2015, which would require organizations to implement reasonable and appropriate cybersecurity measures and notify customers when personally identifiable information (PII) has been or may have been compromised.
The House bill would preempt the 47 state laws currently governing data breach notification and give the Federal Trade Commission (FTC) authority to enforce the federal standard. Under the proposal, exemptions would be made for the information currently covered by the Health Insurance Portability and Accountability Act (HIPAA) as well as the Graham-Leach-Bliley Act (GLBA), which would include some information collected and controlled by higher education institutions. Additionally, the bill would require entities to notify customers of a breach that could cause financial harm within 30 days of the breach’s discovery. The bill covers any nonprofit organization, even if it would not typically fall under FTC jurisdiction.
In the Senate, three bills have been introduced on the issue. Two appear unlikely to draw serious consideration. Senator Bill Nelson (D-FL) introduced S. 177, the Data Security and Breach Notification Act of 2015, which has received little attention since it has no Republican cosponsors. Senator Patrick Leahy (D-VT) introduced the Consumer Data Privacy Protection Act, S. 1158; it, too, lacks any Republican cosponsors, in part because it would not lead to a single, national data breach notification standard. (I.e., it would not establish full preemption of individual state data breach laws.)
Senators Tom Carper (D-DE) and Roy Blunt (R-MO) introduced the third bill, S. 961, the Data Security Act of 2015, which is expected to lead the Senate debate on this issue. This bill would require a strong, uniform national standard and preempt state laws. Unlike Blackburn/Welch in the House, though, the Carper/Blunt bill specifically outlines the information security requirements that covered entities would need to have in place to comply with the law. And it would cover any organization that accesses, maintains, communicates, or handles sensitive account information or personal information, except for agencies or units of federal, state, or local government. Finally, Carper/Blunt, like Blackburn/Welch, provides an exemption for breach notification if the compromised data is encrypted.
These bills are currently working their way through the legislative process. Blackburn/Welch has passed the House Energy and Commerce Committee. It did so, however, without the votes of any Democratic committee members, including that of its Democratic cosponsor, Rep. Welch, due to the bill’s health information exemption. Democrats are also concerned that the bill’s strong preemption provision would weaken breach notification requirements and data protection in states that currently have stronger laws on the books. As a result, Rep. Blackburn is attempting to work with Democrats to address their concerns in order to gain enough Democratic support to move the bill to the House floor for a full vote by the chamber. The Senate bill is currently before the Committee on Commerce, Science, and Transportation, which has yet to take action on it.