WASHINGTON — Ten months, three hearings and two bill drafts after widespread
data breaches began to make headlines, House Republicans finally placed
their legislative cards on the table Thursday. Democrats say they shouldn’t
have bothered.
The Data Accountability and Trust Act (DATA), approved by a subcommittee
after a contentious five-hour hearing, would require data brokers to disclose
to consumers any unencrypted breaches of their personal data. The bill would
also pre-empt all state data breach laws.
“Data security has not been given the priority it should be, and the bill
before us will change that,” House Energy and Commerce Chairman Joe Barton
(R-Tex.) said. “It requires tough security measures and appropriate notice
when consumers are put at risk through no fault of their own.”
Well, maybe, said the subcommittee’s Democrats.
The bill defines a data breach as the unauthorized acquisition of personal
information that establishes a “reasonable basis” to conclude that there is
a “significant risk” of identity theft.
For purposes of disclosure, the bill defines identity theft as “assuming
another person’s identity for the purpose of engaging in commercial
transactions.”
Since February and the news of breaches at companies such as ChoicePoint and LexisNexus,
nearly 51 million notices have gone out to consumers, thanks to a California
state law requiring disclosure of data breaches. The California law requires
disclosure whenever there is an “unauthorized acquisition of [data] that
compromises the security, confidentiality or integrity of personal
information.”
Said Illinois Democrat Janice Schakowsky, “No notices would have gone out under the standard put forth in this bill. ‘Significant risk’ is almost impossible to prove.”
Rep. John Dingell (D-Mich.) said the nationwide notice provisions proposed
by the Republicans are actually “no notice” provisions.
“I also cannot support pre-emption of stronger state laws,” Dingell, the
ranking Democrat on the Energy and Commerce Committee, said. “Why bother to
pass a bill at all, if this is what we propose to do to the American public?”
Democrats also objected to a last-minute change in the bill’s language that
eliminates a provision allowing consumers to review the personal information
maintained on them by data brokers.
“I find this change most curious indeed,” Dingell said.
Rep. Cliff Stearns (R-Fla.), chairman of the subcommittee, said the DATA Act
is the “initial step” to offer relief to consumers and businesses.
“I want to re-emphasize to my Republican and Democratic colleagues that [the
DATA Act] is the beginning of a long process,” Stearns said. “Unfortunately,
we have not reached consensus with [Democrats] on all issues. I am
optimistic we will get there.”
If Thursday’s hearing is any example, it might be a very long process,
indeed, to reach accord with the Democrats.
Along purely party lines, Republicans on the subcommittee rejected
amendments by the Democrats to replace the bill’s disclosure trigger
language with the California standard, to restore consumers’ rights to
review information held by data brokers and to remove the national
pre-emption of state laws.
