Data Security Outlook Remains Uncertain Despite Flurry of Bills

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Alexei Alexis  

April 11 --The outlook for congressional action this year on data security remains murky, despite a flurry of bills introduced in the wake of recent breaches.

Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate Commerce, Science, and Transportation Committee, is among the key members of Congress who are still weighing next steps on the issue.

It remains unclear whether or when a data security bill (S. 1976) introduced by Rockefeller will be scheduled for a markup.

“There's a possibility of committee action,” the senator told Bloomberg BNA in a recent interview. “You always have to try to count votes so that you know what you're up against.”

Past Struggles

While there has been broad support for data security legislation on Capitol Hill, lawmakers have struggled for years to get a bill across the finish line. Recent breaches at Target Corp. and Neiman Marcus Group Ltd. have brought renewed attention to the issue .

Competing bills have been introduced in the Senate. Complicating matters, multiple committees share jurisdiction over the issue.

Alysa Zeltzer Hutnik, a partner at Kelley Drye & Warren LLP, in Washington, said the path forward is “uncertain at best.”

“It is possible--and perhaps likely--that congressional interest will fade and the current legal landscape will remain intact,” Hutnik told Bloomberg BNA. “Even if that occurs, however, there is little doubt that federal and state enforcement agencies will continue to make data security a priority and use existing authority to adopt new initiatives as necessary to address new and emerging risks.”

New FTC Powers Proposed

Rockefeller's bill would authorize the Federal Trade Commission to write and enforce new rules requiring retailers and other companies to protect consumers' personal data and notify individuals in the event of a breach. Violators would face civil penalties.

Currently, the commission relies substantially on Section 5 of the FTC Act, which prohibits “unfair and deceptive” trade practices, to pursue data security cases.

Besides Rockefeller, other lawmakers calling for passage of data security legislation include Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.).

Leahy spokeswoman Jessica Brady said the senator is working with Republicans to make progress on the issue and to secure support for a bill (S. 1897) that he has introduced.

Leahy first authored the proposal, dubbed the Personal Data Privacy and Security Act, in 2005 and has unsuccessfully pursed it in each of the last four Congresses.

He resurrected the measure again in January, saying that the Target breach serves as a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity “remains one of the most challenging and important issues” facing the country.

Republican Opposition

Leahy's proposal was approved by the Senate Judiciary Committee in September 2011 on a party-line vote, with no Republican support. However, the measure didn't make it to the floor.

The U.S. Chamber of Commerce had raised various concerns about the bill--while applauding its goals--in a letter sent to committee members before the markup. For example, the group said the bill proposed detailed security program requirements that had the potential to result in “an expensive and excessive compliance burden.”

“The chamber also is concerned about the regulatory unpredictability that would be created, in an uncertain economy, by giving the FTC rulemaking authority to implement this section of the act,” the group added. The group said it would rather have the legislation “tout these programs as a goal rather than mandate their implementation.”

Rockefeller had similar struggles that year with getting Republicans to support a data security bill that he and Sen. Mark Pryor (D-Ark.) drafted together. Ultimately, that legislation died without a committee markup.

Rockefeller Frustrated

Recently, Rockefeller said that he was frustrated with both Congress and industry about the fact that federal data security legislation has been stalled for years.

“For nearly a decade, we've had major data breaches at companies both large and small,” he said in a March 25 statement. “Millions of consumers have suffered the consequences. While Congress deserves its share of the blame for inaction, I am increasingly frustrated by industry's disingenuous attempts at negotiations. It's time for industry to work with us on legislation that reinforces the basic protections American consumers have a right to count on.”

Rockefeller's pending bill conflicts with data security legislation (S. 1193) that is backed by Sen. John Thune (R-S.D.), Senate Commerce Committee ranking member, and other Republicans on the panel. The Republican bill was introduced last year, before recent breaches occurred.

Bill Differences

Among other key differences, the Rockefeller bill would give the FTC rulemaking authority to set data security standards for the private sector, while the Republican measure would merely clarify the commission's authority to take enforcement actions against companies that fail to adopt reasonable security for personal data, a Thune aide said.

In addition, the Rockefeller bill would allow the FTC to expand--via rulemaking--the definition of “personally identifiable information” that must be protected, while the other bill would define the scope of such data legislatively, without providing additional rulemaking authority for the agency.

During a March 26 committee hearing, Thune noted the competing bills and said that he looked forward to working with Rockefeller and other colleagues on the issue.

“I support a uniform federal breach notification standard to replace the patchwork of laws in 46 states and the District of Columbia,” Thune said. “A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would also provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses.”

He added that he wants to ensure that businesses “appropriately secure information and are not burdened by outdated or ill-suited security requirements, but rather are provided with the flexibility to develop effective and innovative tools to secure the information they are entrusted to protect.”

Industry Effort Under Way

Earlier this month, representatives of the banking and retail sectors briefed members of the Senate Homeland Security and Governmental Affairs Committee on the status of a new industry partnership on cybersecurity policy. According to Tim Pawlenty, chief executive officer of the Financial Services Roundtable, the partnership is expected to result later this year in the publication of a statement of principles on data breach legislation, among other steps.

The outlook for data security legislation in the House is also uncertain. Rep. Lee Terry (R-Neb.), a key member of the House Energy and Commerce Committee, has expressed an interest in pursuing data security legislation this year, but he hasn't yet produced a bill or indicated a timeline.


To contact the reporter on this story: Alexei Alexis in Washington at

To contact the editor responsible for this story: Heather Rothman at