House Panel Advances Measure to Require Data Breach Notification, Preempt State Laws

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

March 25 — Draft legislation designed to replace state data security breach notification laws with a national standard requiring companies to notify affected individuals within 30 days after discovering a breach was approved March 25 by the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade after a markup session.

The measure, dubbed the Data Security and Breach Notification Act, hadn't been formally introduced as of March 27.

The subcommittee approved the draft by voice vote. Several amendments offered by Democrats on the panel were defeated by party-line roll call votes.

Under the proposed law, companies that collect and maintain consumers' personal data would be required to secure such information and to provide notice to individuals in the event of a security breach. Enforcement power would be granted to the Federal Trade Commission and state attorneys general.

On March 26, Rep. Jim Langevin (D-R.I.) introduced his own data breach notice bill (H.R. 1704). The bill was referred to the House Energy and Commerce Committee—where it will be in competition with the subcommittee's approved draft legislation—and to the House Judiciary Committee.

In a related development, leaders of the House Intelligence Committee March 26 approved legislation that would provide liability protection to companies that voluntarily share cyberthreat information with government or industry partners.

Unresolved Issues

A number of unresolved concerns surround the draft legislation as it proceeds toward a full committee markup, which is expected later this spring. Democrats worry that the measure would undercut stronger state laws and weaken existing consumer protections enforced by the Federal Communications Commission.

Consumer advocacy groups, such as Public Knowledge, have objected to the bill, as well, and the U.S. Chamber of Commerce isn't satisfied with it either.

Similar legislation has died in previous Congresses. But despite broad, bipartisan statements of support for getting a federal breach notice bill across the finish line, it hasn't happened.

Sen. Dianne Feinstein (D-Calif.) introduced the first data breach notice bill in Congress in June 2003. She modeled that measure after the country's first data breach notice law, which was enacted in 2002 in her home state.

Forty-seven states and the District of Columbia have data breach notice laws that would be preempted by the draft bill. New Mexico lawmakers recently failed to clear a breach notice bill before the close of the 2015 legislative session.

“Finding a workable bipartisan compromise that can become law has been elusive,” Subcommittee Chairman Michael C. Burgess (R-Texas) said in a March 25 statement following the markup. “But I believe that by focusing on how the criminals make their money we can work together to broker a solution for the millions of Americans impacted by identity theft and financial fraud. Perfect cannot be the enemy of the good. And we must ensure that there are meaningful consumer protections in this draft.”

Penalties Up to $2.5M

Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) unveiled the discussion draft March 12.

The draft bill contains a risk of harm trigger. Companies would be required to notify consumers affected by a data breach unless there is “no reasonable risk” of identity theft or other financial harms.

The bill would also set a national standard for covered entities to implement and maintain “reasonable” security measures and practices to protect and secure personal information.

Generally, entities under the FTC's jurisdiction, such as retailers, would be covered. The data security and breach notification practices of telecommunications, cable and satellite providers now overseen by the FCC would be brought under the FTC's purview. FCC officials told the House Energy and Commerce Committee at a March 18 hearing that even though the FTC would gain jurisdiction over security and breach notice for those entities, the FTC doesn't have the authority to develop consumer data security rules.

However, the measure would exempt entities already subject to data security and breach notification rules under the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.

A violation of the proposed law would be treated as an “unfair or deceptive” act under the FTC Act. Both the FTC and state attorneys general would have the power to go after violators and seek civil penalties of up to $2.5 million.


On a voice vote, the subcommittee adopted a manager's amendment with technical changes from Welch and Burgess. The panel also accepted an amendment from Rep. Tony Cardenas (D-Calif.) to require the FTC to maintain a website with data security best practices for businesses.

Rejected an amendment offered by Rep. Yvette D. Clarke (D-N.Y.) to authorize the FTC to expand the bill's definition of “personal information” in the future.

Chris Lewis, vice president of government affairs at Public Knowledge told Bloomberg BNA the bill “leaves consumers with fewer protections than they have now, especially in the way it removes the long-standing ability of the FCC to continue to protect consumers on communications networks and creates weaker, more limited protections at the FTC.”

Chamber of Commerce Letter

In a March 25 letter to the subcommittee, the U.S. Chamber of Commerce raised several concerns as well, including about proposed penalties.

“Providing state attorneys general with the ability to impose penalties of up to $2,500,000 seems disproportionate and would place an excessive financial burden on business, especially small businesses; therefore, the Chamber urges you to lower the cap to a much more reasonable amount,” the letter said. “However, even more distressing is that the draft bill does not impose any cap on the penalties that can be imposed by the FTC.”

Generally, the chamber said it supports enactment of a “truly uniform national data breach notification law.” Federal data breach notification legislation would help businesses by reducing the complexity associated with complying with the separate state laws addressing the issue, the group said.

To contact the reporter on this story: Alexei Alexis in Washington at aalexis

To contact the editor responsible for this story: Heather Rothman at

The discussion draft of the legislation is available at

Further information on the draft legislation markup is available at

The Chamber letter is available at