Despite protests from Democrats that the measure will weaken current protections for consumers, a House Energy and Commerce panel approved legislation on Wednesday that would set national standards for protecting and responding to computer breaches involving the loss of personal data.
After a lengthy and contentious debate, the Commerce, Manufacturing, and Trade Subcommittee approved the bill on a voice vote; but Democrats strongly objected to the measure and signaled that major changes would have to be made to the legislation for it to move forward with bipartisan support.
Subcommittee Chairwoman Mary Bono Mack, R-Calif., said after the markup that although she wants to continue to work with Democrats, it didn’t appear that they wanted to cooperate. “I’m going to get it right with or without them,” she said. Mack said she did not know whether the full committee would take up the measure before lawmakers leave for their August break.
The bill would preempt state laws and would require companies and organizations to take adequate steps to secure personal information. It also would mandate that they notify consumers within 48 hours of a breach if the stolen data could lead to identity theft or other harm, and within 45 days at the latest.
The issue has gained new urgency in recent months after several major companies, including Citibank and Sony, revealed that their computer systems had been hacked and that personal information about millions of consumers had been stolen.
Mack had made some changes to a draft bill released last month, but Energy and Commerce ranking member Henry Waxman, D-Calif., and subcommittee ranking member G.K. Butterfield, D-N.C., said on Wednesday that they still have strong reservations about it. For instance, they say that the definition of what personal information must be protected is too narrow.
“This bill is not balanced. It preempts strong state laws and replaces them with a weak federal one,” Waxman said.
Mack, however, defended the process, noting that she included some of the changes requested by Democrats in the latest version of the bill. “We have made a good-faith effort to address their concerns,” she said.
The panel approved an amendment offered by Reps. Marsha Blackburn, R-Tenn., and Pete Olson, R-Texas, that would eliminate a provision giving the Federal Trade Commission limited authority to change the definition of personal information under a more expedited rulemaking process used by other agencies, such as the Federal Communications Commission.
Democrats argued that the amendment further weakens the limited definition of personal information in the bill by making it nearly impossible for the FTC to change it. The panel rejected several amendments, most of them on party-line votes, that Democrats offered to try to expand the definition of personal information to include e-mail, personal photos and videos, mobile-phone location information about children, online searches for medical data, and records of over-the-counter drug purchases. “If this data is breached, people want to know about it,” Waxman said.
Mack argued that such issues were better dealt with in the broader privacy discussion that the panel is taking up separately. After the markup, however, Mack said that she believed the definition of personal information probably needs to be expanded.