Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
April 11 --The outlook for congressional action this year on data security remains murky, despite a flurry of bills introduced in the wake of recent breaches.
Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate Commerce, Science, and Transportation Committee, is among the key members of Congress who are still weighing next steps on the issue.
It remains unclear whether or when a data security bill (S. 1976) introduced by Rockefeller will be scheduled for a markup.
“There's a possibility of committee action,” the senator told Bloomberg BNA in a recent interview. “You always have to try to count votes so that you know what you're up against.”
While there has been broad support for data security legislation on Capitol Hill, lawmakers have struggled for years to get a bill across the finish line. Recent breaches at Target Corp. and Neiman Marcus Group Ltd. have brought renewed attention to the issue .
Competing bills have been introduced in the Senate. Complicating matters, multiple committees share jurisdiction over the issue.
Alysa Zeltzer Hutnik, a partner at Kelley Drye & Warren LLP, in Washington, said the path forward is “uncertain at best.”
“It is possible--and perhaps likely--that congressional interest will fade and the current legal landscape will remain intact,” Hutnik told Bloomberg BNA. “Even if that occurs, however, there is little doubt that federal and state enforcement agencies will continue to make data security a priority and use existing authority to adopt new initiatives as necessary to address new and emerging risks.”
Rockefeller's bill would authorize the Federal Trade Commission to write and enforce new rules requiring retailers and other companies to protect consumers' personal data and notify individuals in the event of a breach. Violators would face civil penalties.
Currently, the commission relies substantially on Section 5 of the FTC Act, which prohibits “unfair and deceptive” trade practices, to pursue data security cases.
Besides Rockefeller, other lawmakers calling for passage of data security legislation include Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.).
Leahy spokeswoman Jessica Brady said the senator is working with Republicans to make progress on the issue and to secure support for a bill (S. 1897) that he has introduced.
Leahy first authored the proposal, dubbed the Personal Data Privacy and Security Act, in 2005 and has unsuccessfully pursed it in each of the last four Congresses.
He resurrected the measure again in January, saying that the Target breach serves as a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity “remains one of the most challenging and important issues” facing the country.
Leahy's proposal was approved by the Senate Judiciary Committee in September 2011 on a party-line vote, with no Republican support. However, the measure didn't make it to the floor.
The U.S. Chamber of Commerce had raised various concerns about the bill--while applauding its goals--in a letter sent to committee members before the markup. For example, the group said the bill proposed detailed security program requirements that had the potential to result in “an expensive and excessive compliance burden.”
“The chamber also is concerned about the regulatory unpredictability that would be created, in an uncertain economy, by giving the FTC rulemaking authority to implement this section of the act,” the group added. The group said it would rather have the legislation “tout these programs as a goal rather than mandate their implementation.”
Rockefeller had similar struggles that year with getting Republicans to support a data security bill that he and Sen. Mark Pryor (D-Ark.) drafted together. Ultimately, that legislation died without a committee markup.
Recently, Rockefeller said that he was frustrated with both Congress and industry about the fact that federal data security legislation has been stalled for years.
“For nearly a decade, we've had major data breaches at companies both large and small,” he said in a March 25 statement. “Millions of consumers have suffered the consequences. While Congress deserves its share of the blame for inaction, I am increasingly frustrated by industry's disingenuous attempts at negotiations. It's time for industry to work with us on legislation that reinforces the basic protections American consumers have a right to count on.”
Rockefeller's pending bill conflicts with data security legislation (S. 1193) that is backed by Sen. John Thune (R-S.D.), Senate Commerce Committee ranking member, and other Republicans on the panel. The Republican bill was introduced last year, before recent breaches occurred.
Among other key differences, the Rockefeller bill would give the FTC rulemaking authority to set data security standards for the private sector, while the Republican measure would merely clarify the commission's authority to take enforcement actions against companies that fail to adopt reasonable security for personal data, a Thune aide said.
In addition, the Rockefeller bill would allow the FTC to expand--via rulemaking--the definition of “personally identifiable information” that must be protected, while the other bill would define the scope of such data legislatively, without providing additional rulemaking authority for the agency.
During a March 26 committee hearing, Thune noted the competing bills and said that he looked forward to working with Rockefeller and other colleagues on the issue.
“I support a uniform federal breach notification standard to replace the patchwork of laws in 46 states and the District of Columbia,” Thune said. “A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would also provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses.”
He added that he wants to ensure that businesses “appropriately secure information and are not burdened by outdated or ill-suited security requirements, but rather are provided with the flexibility to develop effective and innovative tools to secure the information they are entrusted to protect.”
Earlier this month, representatives of the banking and retail sectors briefed members of the Senate Homeland Security and Governmental Affairs Committee on the status of a new industry partnership on cybersecurity policy. According to Tim Pawlenty, chief executive officer of the Financial Services Roundtable, the partnership is expected to result later this year in the publication of a statement of principles on data breach legislation, among other steps.
The outlook for data security legislation in the House is also uncertain. Rep. Lee Terry (R-Neb.), a key member of the House Energy and Commerce Committee, has expressed an interest in pursuing data security legislation this year, but he hasn't yet produced a bill or indicated a timeline.
To contact the reporter on this story: Alexei Alexis in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Heather Rothman at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)