Data Security Draft Bill Meets Opposition
The Federal Communications Commission and the Federal Trade Commission have voiced opposition to the data security draft bill released by the House Energy and Commerce Committee.
“The Federal Trade Commission would be granted some, but not all, elements of the consumer protection authority that the FCC presently exercises,” Clete Johnson, FCC chief counsel for cybersecurity, said in his testimony at a Commerce, Manufacturing and Trade Subcommittee hearing on the draft of the Data Security and Breach Notification Act of 2015.
“If the draft bill were to become law, the FTC would not have the authority to develop rules to protect the security of consumers’ data or update requirements as new security threats emerge and technology evolves,” Johnson also said on Wednesday.
Jessica Rich, director of the Bureau of Consumer Protection at the FTC, said the agency supports the draft bill’s goals to establish broadly applicable data security standards for companies and require them, in certain circumstances, to notify consumers of a breach.
However, Rich said the draft bill does not provide the protections needed to combat breaches, identity theft and other acts that harm consumers.
“The definition of personal information does not protect some of the information, which is currently protected under state law,” she said in her prepared testimony. “The bill should address the entire data ecosystem, including Internet-enabled devices.”
Rich also said the bill does not afford the FTC with rulemaking authority under the Administrative Procedure Act, which she argued would be necessary to ensure the goals of the bill are met.
“The scope of the breach notification trigger should be expanded to cover other substantial harm,” she said. “While the commission understands the importance of targeting concrete, substantial harms, and has sought to do so in its own enforcement efforts, we are concerned the draft bill does not strike the right balance.”
Rep. Frank Pallone (D-N.J.), ranking member of the House Energy and Commerce Committee, and Rep. Jan Schakowsky (R-Ill.), ranking member of the Commerce, Manufacturing and Trade Subcommittee, both expressed opposition to the draft.
“We are disappointed with the draft of the Data Security and Breach Notification Act released by Reps. Burgess, Blackburn and Welch,” the lawmakers said in a joint statement. “Data breaches can create serious harm to consumers and businesses alike, and this bill does not provide solutions.”
The members added, “We have numerous concerns about the weakening of consumer protections overall, as well as the dilution of protections for customers of telecommunications and cable services. We will continue to work for legislation that provides the strongest possible safeguards and protections for American consumers.”
Pallone also said at the hearing that the draft bill has to be improved before it moves forward.
“The draft legislation under discussion today preempts stronger state and federal laws,” he said.
Subcommittee Chairman Michael Burgess (R-Texas) said the bipartisan negotiations are ongoing and the door of the subcommittee remains open.
John McKechnie, partner at the Washington-based consulting firm Total Spectrum, said establishing a national data security standard faces some significant legislative challenges.
“Despite a growing consensus that something needs to be done on data security, it’s beginning to look like the perfect is becoming the enemy of the good,” he said. “A number of Democratic members are pushing for more expansive consumer protections, and getting even basic agreements beyond 30-day notification seems difficult. Judging from the donnybrook at yesterday’s hearing, data breach legislation has already reached a critical point, and it’s only March.”