Key Democrats and a member of the Federal Trade Commission said on Wednesday that some of the changes included in a draft data-security bill would weaken the protections provided under similar legislation that the House passed on a bipartisan vote in 2009.
The draft, which is based on the 2009 bill, would set uniform national standards requiring firms covered by the legislation to deploy adequate security measures to protect personal data. It would also require them to minimize how much personal data they keep and to notify consumers and the FTC within 48 hours of a breach--after acting to secure the data and assess the incident.
During a hearing before the Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, Chairwoman Mary Bono Mack, R-Calif., said that the draft bill is an “upgraded, 2.0 version of data-security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon, which put more than 100 million consumer accounts at risk.”
On Wednesday, the FTC announced its latest settlement with two firms, Ceridian and Lookout Services, for failing to adequately secure personal data despite claiming they did. In the complaint against payroll-processor Ceridian, the agency said that hackers obtained personal information on thousands of customers in 2009, including bank-account numbers, Social Security numbers, and birthdates.
Several Democrats and FTC Commissioner Edith Ramirez voiced concerns with changes to the 2009 bill, including the notification standard. They said that the draft gives companies too much discretion about when they have to notify consumers.
The critics say that the definition of personally identifiable information is too narrow and that the process under which the FTC could change it is too onerous. They also worried that the draft bill would exempt information that is publicly available and remove the special requirements applied to data brokers.
“Unfortunately, there are many more changes that weaken last Congress’s bill than strengthen it,” said Energy and Commerce ranking member Henry Waxman, D-Calif.
But some Republicans said that the draft bill may go too far in some areas by giving the FTC authority to change the definition of personally identifiable information and requiring firms to notify consumers of a breach if there is a “reasonable” chance it could be used for harm, instead of imposing a “significant” standard. Industry officials noted at the hearing that consumers may begin to ignore data-breach notifications if they receive too many of them.
After the hearing, Bono Mack said she wants to produce a bipartisan bill and expects there will be further tweaks, possibly on how much time companies have to notify consumers. For her part, she said she wants consumers notified as quickly as possible. Bono Mack added that she is hoping the bill will move through the House before the August recess. She joked that perhaps the recent hacking incident involving the Senate’s website might push that chamber to finally act on the issue.