Rep. Bono-Mack's data security bill "could be good" but "might go too far."
On Wednesday morning, the House Energy & Commerce Committee's Commerce, Manufacturing and Trade Subcommittee held a hearing on a data security bill drafted by Subcommittee Chair Mary Bono-Mack (R-CA).
As she stated in opening the hearing, "Sophisticated cyber attacks are increasingly becoming the greatest threat to the future of electronic commerce here in the United States and around the world, and that’s why Congress must take immediate steps to better protect the personal online information of American consumers. It’s time for us to declare war on identity theft and online fraud." Rep. Henry Waxman (D-CA), Ranking Member for the full Committee, echoed her sentiments, saying, "data security is not a partisan issue."
FTC Commissioner Edith Ramirez testified that, "Since 2001, the FTC has brought 34 law enforcement actions against businesses that allegedly failed to protect consumers’ personal information appropriately", including their latest settlement with Ceridian. Hitting on familiar notes like the Fair Information Privacy Practices (FIPPs), and broad support for Congressional legislation, she did however express concerns about exempting publicly available information from data security controls, complaining that it can be combined with other data and thus pose a threat.
Rep. Bill Cassidy (R-LA) complained that he couldn't understand Commissioner Ramirez's focus on publicly available information, saying, "We should have a bias towards openness" if data is not being used fraudulently and it is publicly available. "Are we going to restrict the ability of someone to know what Census tract I live in? ...What is the inherent damage?"
Rep. Cliff Stearns (R-FL), a past Chairman of the Subcommittee and author of his own data security bill, thought that Rep. Bono-Mack's data security bill "could be good" but "might go too far."
Subcommittee Ranking Member G.K. Butterfield expressed his concerns that Rep. Bono-Mack's data security bill lacks important consumer protections, such as data broker requirements and restrictions. While noting that "a federal standard is important" for data security, he felt that the FTC faces "overly burdensome" process to change the definition of personal information.
In questioning Commissioner Ramirez, Rep. Cliff Stearns asked what problems or changes Commissioner Ramirez could see in defining "personal information" in data security legislation, noting that industry "might be concerned we're otherwise giving the FTC too much power." She replied that the rulemaking power in the legislation was too limited and that the existing definition was too narrow.
Rep. Marsha Blackburn (R-TN) then asked the Commissioner how she would specifically define it because many people would fear giving the FTC too much power in definiing personal information, rather than defining it in law. In response, Chairman Ramirez said, "I think that the touchstone here is information that can be uniquely tied to an individual... broader than the definition that is currently used in the draft bill."
Other members of the Committee, like Rep. Charlie Gonzalez (D-TX), focused on a "gap of authority" in the legislation, because financial and other companies are exempted from it.
After Commissioner Ramirez discussed the concept of a "reasonableness" standard in assessing data security requirements, Rep. Mike Pompeo (R-KS) lamented that when he hears government say "don't worry, we'll be reasonable, alarm bells go off in my head."
The House is likely to consider Rep. Bono-Mack's bill before they recess for August. MRA remains concerned about the final product in data security legislation in Congress and will continue to share those concerns with Members and staff. Our cross-comparison analyzing Rep. Bono-Mack's and other Congressional data security bills is coming soon.