The House Subcommittee on Commerce Manufacturing & Trade wants to pass bipartisan federal data security legislation, but these Congressmen must first work out important details, like the premption of state laws, FTC powers, state Attorneys General (AG) enforcement authority, how fast notification for a breach must be made, and defining what information is covered and what constitutes a breach.

Easy, right? A Subcommittee hearing on January 27 found that, while Members of Congress appear to be on the right track, some of these details will require a lot of work. However, the Subcommittee was already trying to craft a bipartisan bill even before President Obama's recent State of the Union data security proposal.

Preemption and State AG Enforcement
“A single requirement across the states would give companies some confidence that their methods are sound in handling electronic data, an inherently interstate activity. Moreover, it would put all companies on notice that if you fail to keep up with other companies and if you aren’t learning from other breaches, you will be subject to federal enforcement,” commented CMT Subcommittee Chairman Mike Burgess (R-TX-26). This was his first hearing in the role, having recently taken the place of Lee Terry (R-NE-01), who was defeated for re-election in Novemeber.

"A single federal standard is the key to the solution,” agreed Rep. Fred Upton (R-MI-06), chairman of the full Energy & Commerce Committee, in his opening statement.

Rep. Leonard Lance (R-NJ-07) similarly felt that a bill would only be effective if it preempts "the patchwork of state laws."

Forty-seven states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands all have data security laws. Most focus strictly on breach notification, but some, like Massachusetts', get into much broader requirements for data security. So it should be no surprise that most industry representatives, as well as MRA, support a national standard that preempts the many conflicting state laws.

Witness Brian Dodge, executive VP at the Retail Industry Leaders Association, testified about the hurdles facing retailers in complying with a complex duplicative system. He said that his organization “supports federal data breach notification legislation that is practical, proportional and sets a single national standard that replaces the often incongruous and confusing patchwork of state laws in place today."

Witness Elizabeth Hyman, executive VP of public policy for Tech America, similarly lamented that "most companies are under the umbrella of multiple state laws at all times" and "no two state data breach laws are exactly the same.” She concluded that "Without strong preemption language, the entire basis for enacting a federal data breach notification standard disappears.”

However, while Chairman Burgess observed that “most of us agree on preemption,” one witness and some other members of the subcommittee did not seem to agree.

Ranking Member Jan Schakowsky (D-IL-09) felt that the federal government should have a role, but there are "many important protections at the state level that we don't want to eliminate when we do federal legislation” because Congress shouldn't “weaken protections that consumers expect and deserve."

Ranking Member Frank Pallone was even more strident: “While no one, on either side of the aisle, wants to unnecessarily burden business with duplicative or overlapping requirements, these state laws provide baseline breach notification to most Americans. In addition, businesses that operate nationally often follow the strictest state laws, giving our constituents strong data security and breach notification protections coverage regardless of what is written in any individual state law. Therefore, I cannot support any proposal that supersedes strong state protections and replaces them with one weak federal standard."

Witness Woodrow Hartzog, associate professor at the Cumberland School of Law, testified that "legislation must preserve states' rights to regulate data security" and set "a floor, not a ceiling."

Rep. Joe Kennedy (D-MA-04) piped in on that point, referencing the importance of Massachusetts’ rigorous state data security law.

Rep. Peter Welch (D-VT), co-chair of the House Privacy Working Group with Rep. Marsha Blackburn (R-TN-07), observed that industry tends to support a "relatively robust standard" for data security as long as they get preemption.

Ranking Member Schakowsky set her own minimum terms: "if we include federal preemption, we must ensure that state attorneys general are able to enforce the law."

Timeliness of Breach Notification
President Obama's proposed Personal Data Notification & Protection Act would require that notification about a breach be delivered within 30 days of discover. Under questioning from Rep. Gregg Harper (R-MS-03) and Rep. Pete Olson (R-TX-22), the witnesses agreed with MRA’s position that the timeline for breach notification needs to remain flexible--all of the witnesses said 30 days was too arbitrary a number. A “reasonable” amount of time seemed to be the consensus pick, even for Hartzog.

The Threshold for Notification and Dangers of Over-Notification
Hartzog testified that notification of a breach shouldn't require the establishment of any threat of harm. The "default should be notice," he said, "because any definition that you use to come up with regarding harm is probably going to be either over-inclusive or under-inclusive… So let’s not overleverage the concept."

Olson pressed Hartzog on whether or not some breaches may be harmless, to which Hartzog replied, "It depends on how you define harm." Hartzog's definition of harm is exceptionally broad, even including perfectly fuzzy harms like "a breach of trust."

Witness Jennifer Glasgow, chief privacy officer at Acxiom, testified to the contrary, that notification triggers need to be limited to when data has been stolen, not just "exposed," and only after a risk assessment has been run (a key aspect of President Obama's bill). She also testified that excessive notification could lead to consumers tuning out imporant warnings and getting "complacent" about true threats.

Schakowsky advocated for including a bigger bucket of harms when defining a breach that just direct financial harm, specifically citing the high-profile privacy hack of Sony by North Korea in December as "a problem for a lot of people."

Although Hartzog testified that the threat of over-notification was "over-inflated," recent evidence points to the contrary.

Next steps
MRA touched base with Subcommittee members in advance of the hearing to share the research profession's top concerns in President Obama's bill. The House Privacy Working Group, in consultation with the broader committee, is crafting a data security bill. Subcommittee Chairman Burgess said the bill would be drafted narrowly so that Energy & Commerce would have sole jurisdiction, since battles between committees has been a common death-knell for prior legislative attempts. He also stressed that it would not give the FTC new expanded authority (a key factor in our successful amendments to the 2011 SAFE Data Act).

MRA will continue meeting with Subcommittee members and their staff to help ensure that their final bill reflects our interests.