WASHINGTON, June 16, 2011 – Just days after Senate email accounts were hacked, the House Subcommittee on Commerce, Manufacturing and Trade held a hearing Wednesday to discuss a draft bill that would require companies to minimize the amount of data collected from consumers and notify them within two days of a data breach.
Subcommittee members met with witnesses to clarify the ambiguous language of a discussion draft of Subcommittee Chairman Rep. Mary Bono Mack’s (R-CA) Secure and Fortify (SAFE) Data Act. The measure addresses the increasing threat of data theft, in the wake of high-profile cyber attacks on Sony, Epsilon, Lockheed-Martin and other U.S. companies.
The SAFE Data Act, is based on the language of the Data Accountability and Trust (DATA) Act , according to an internal committee memorandum.
Members reiterated key revisions within the SAFE Data Act throughout the hearing. In the new legislation, companies would be required to notify law enforcement authorities and consumers within 48 hours of the breach. The bill would also include a provision, also known as ‘data minimization,” for companies to reduce the amount of less sensitive information collected from consumers.
Rep. Henry Waxman (D-CA), in his opening remarks, while worried that the proposed legislation favors the protection of businesses over consumers, lauded the provision on ‘data minimization’ as ‘potentially valuable.’
“It’s time for us to declare war on identity theft and online fraud,” said Bono Mack in her opening statement, echoing a bipartisan call from members and witnesses for the drafting of a muscular national data breach notification law.
“E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it – and that starts with a robust cyber security.”
Edith Ramirez, Commissioner at the Federal Trade Commission, emphasized the need to notify consumers of a data breach “as soon as practicable.”
Ramirez also requested that the bill require the FTC to be notified at the same time as law enforcement agencies and that the agency should be granted the authority to sue non-profit entities for data security violations.
“The FTC promotes data security through law enforcement, consumer and business education, and policy initiatives.," said a statement issued by the agency. "Since 2001, the agency has brought 34 cases charging business to protect consumers’ personal information.”
The proposed legislation would also preempt the data breach notification laws already in place in 47 states in order to create national legal consistency. The provision responds to a pronounced frustration by private companies over the confusing labyrinth of state data breach notification laws
Marc Rottenberg, Executive Director of Electronic Privacy Information Center, however, cautioned members to take into consideration stronger state data breach notification laws while drafting the new legislation so as not to override them with a weaker federal mandate.
Rottenberg also articulated concerns that the draft’s current definition of ‘Personal Information’ was too narrow.
“The bill seems to suggest that a social security number would not be personally identifiable if it is possessed without a associated person’s name,” said Rottenberg.
“The bill also ignores other popular identifiers, such as a user ID for Facebook, which points as readily to a unique individual as would a driver’s license or a social security number.”
House members are energized to move quickly due to growing numbers of sophisticated cyber attacks and increased consumer reliance upon cloud computing. A senior advisor, in response to an email query, said that Congresswoman is looking to incorporate into her legislation some of the ideas raised by other members at the hearing.
According to a senior advisor speaking on condition of anonymity in Bono Mack's office, the representative expects to have a bill up before the full House within a month.
The congresswoman reiterated in comments after the hearing her intent on having a full committee markup of the bill before the August recess.
“It is my intent with [Rep. G.K. Butterfield (D-NC)] is that there is a bipartisan bill that moves through the Senate,” said Bono Mack. “Maybe [the recent Senate attacks] will give them a bit of an incentive over there.”