Partisan Ire Flares in Senate Data Breach Markup
Senate Judiciary Committee leaders sparred Thursday over the costs that three pending data breach bills would impose on U.S. businesses before adjourning due to a lack of quorum. The committee approved three amendments to Chairman Patrick Leahy’s, D-Vt., S-1151, and shelved at least four more because only four members were present to vote. The committee will resume the markup Sept. 22 at 10:00 a.m. in room 226 of the Dirksen Senate office building.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Leahy’s bill would set a national standard for breach notification and increase the penalties for hacking. At its unveiling in June, Leahy said the bill incorporates and reflects much of the administration’s cybersecurity proposal (CD June 8 p10). The other two data bills, not considered Thursday, are S-1408 and S-1535.
Ranking Member Chuck Grassley, R-Iowa, said he had “reservations” about the potential for Leahy’s bill to increase costs for American companies. “We have not focused on protecting jobs,” said Grassley, “we must work not to burden small businesses with costly requirements.” Some provisions of the legislation would require businesses that handle sensitive personally identifiable information to implement data security safeguards that could cost them money.
Leahy dismissed Grassley’s critique of the bill. Leahy said he’s frustrated by Republican pressure to reduce costs under a Democratic administration, when it spent defense dollars so freely under the previous Republican administration. “We spent hundreds and hundreds of billions of dollars for Iraq and Afghanistan without any offsets,” said Leahy. But Republicans are resistant “as soon as we talk about a bill that can help Americans,” he said. “Frankly I'd rather rebuild America than Iraq and Afghanistan.”
Grassley said there was “some surprise that our committee is already marking up cybersecurity and data breach legislation.” Senate Majority Leader Harry Reid, D-Nev., and Senate Minority Leader Mitch McConnell, R-Ky., “are committed to the working group approach to cybersecurity,” Grassley said. If the Judiciary Committee’s data breach bills are passed, it “could step on the working group approach,” he said. Despite Grassley’s concerns over the bill, “that doesn’t imply that we will filibuster this legislation,” he added.
The committee approved a manager’s amendment that provided clarifications about the language and penalties related to personally identifiable information, as well as nearly a dozen technical changes. Members also approved a substitute amendment that increases certain penalties for hackers, criminalized willful concealment of data breaches and clarifies notice requirements and exceptions among other provisions.
The committee also agreed to include a provision that would amend the Computer Fraud and Abuse Act to prevent felony prosecution for people who violate website term agreements or employee network agreements. Sen. Sheldon Whitehouse, D-R.I., opposed the amendment because he said the Department of Justice should have the chance to evaluate its impact before the committee adds a “hard and fast” rule into the legislation.
The committee tabled three Grassley amendments, the first of which would impose a three-year mandatory minimum sentence for those who intentionally cause or attempt to cause damage to critical infrastructure, because not enough members were available to vote. The second shelved amendment would forbid states, law enforcement agencies and state attorneys general from signing “contingency fee” agreements with legal or expert witnesses cooperating with data breach investigations. Sens. Leahy, Richard Blumenthal, D-Conn., and Chris Coons, D-Del., said they opposed the second amendment. The committee also tabled a Grassley amendment to remove what he called a “prescriptive, one-size-fits-all” requirement to protect sensitive personally identifiable information according to FTC standards. “We shouldn’t add another level of regulation that would have the effect of increasing cost on businesses,” Grassley said.
Sen. Al Franken, D-Minn., offered a counter amendment that would retain the data protection safeguards and introduce data minimization requirements for businesses. Grassley objected to the Franken amendment because he said it would maintain the bill’s “current rigid language.” Franken and Grassley were unable to reach a compromise before the markup was adjourned for lack of quorum.
Leahy told us he’s optimistic the committee can reach a compromise and that immediate action was needed to stop cybertheft. “If we want to attack cybercrime, then we have to attack it. The time is now, today -- we have got to do something about it,” he said. “The American people expect it.”