Democrats Drive Three Data Breach Bills Through Senate Judiciary
The Senate Judiciary Committee approved three data breach bills Thursday during a rapid fire markup session that left Republican members feeling ignored. Members passed S-1151, the Personal Data Privacy and Security Act, S-1408, the Data Breach Notification Act, and S-1535, the Personal Data Protection and Breach Accountability Act each by a 10-8 vote along party lines. Ranking Member Chuck Grassley, R-Iowa, loudly protested the costs and “over-notification” requirements that the bills would impose on American businesses at a time when he said “we need to help businesses create jobs."
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
S-1151 sets a national standard for breach notification, increases the penalties for hacking and incorporates much of the administration’s cybersecurity proposal (CD June 8 p10). Members approved six amendments dealing with mandatory penalties and data notification requirements for businesses, among other provisions. The legislation was authored by Chairman Patrick Leahy, D-Vt., who said he was disappointed that “committee Republicans have decided not to support the important provisions included in this bill, despite my efforts to work with them to incorporate many of their proposals.” It was the fourth time that Leahy’s bill was approved by the committee in as many Congresses, committee staff members said.
Democratic members don’t understand the impact that data breach notification requirements will have on U.S. businesses, Grassley told us after the hearing. “From the standpoint of over-notification, I don’t think there is an appreciation of the impact on small businesses or consumers. From the standpoint of the consumers you get these big, fine print letters in the mail where somebody’s alerting you to something. You almost feel overwhelmed and you throw them away,” Grassley told us. “It seemed to me that we ought to make sure that just like with terrorism, there is a notification of terrorism … When there is a real danger to an individual consumer, I don’t mean physical danger in this case, economic danger, it ought to be something that people are saying ‘I gotta take seriously.'"
The committee also approved S-1408, which differs from the chairman’s bill by limiting its focus to data breach notification requirements for businesses. The legislation was introduced by Sen. Dianne Feinstein, D-Calif., who previously claimed the bill was “purely a data breach bill” (CD Sept. 16 p7). “We have an uneven patchwork of data breach laws all across the country,” Feinstein said. “This bill is prudent and ensures that people would be notified when they have a breach.” Grassley objected to the costs that the legislation would impose on U.S. companies but failed to pass an amendment that would divert any funds captured by the bill’s enforcement provisions to offset the federal deficit. “We have real concerns about the bill about affecting financial liability to businesses,” Grassley said.
Sen. Richard Blumenthal, D-Conn., succeeded in passing his data breach bill, S-1535, which enhances penalties for identity theft, implements minimum data security requirements, and sets clear data breach notification standards. Grassley failed to strike a provision of the bill that enables the Federal Trade Commission to periodically change the definition of sensitive personally identifiable information. “I'm not comfortable with an overly broad definition of personally identifiable information,” protested Grassley. “I don’t think there is, on the Democratic side, an appreciation of over-notification but I'm going to keep hammering at them.”