Reforms Sought in Hearing on Data Security, Breach Notification Act Draft

Subcommittee Chairman Michael Burgess, R-Texas, said the bill was a step toward accomplishing a “single federal standard on data security and breach notification” that would be effective compared with the “existing patchwork” of state data security and breach notification laws. Ranking member Jan Schakowsky, D-Ill., who raised concerns about the draft bill when it was introduced last week (see 1503130027), again said the bill would pre-empt state law and offer fewer protections for consumers than what currently exists. The FTC “can and should be empowered to play a strong role” but not at the cost of eliminating the FCC’s role in protecting consumers, Schakowsky said. Data breaches create more than just financial harms, she said, because the leaks of some information can cause harms such as embarrassment or even danger, especially for domestic violence survivors.

The bill is too narrow in its definition of personal harms, which is why the FTC needs to have the authority to adapt what constitutes as personal information, Schakowsky said, saying previous House legislation didn’t include geolocation as personal information. The FTC later added geolocation, Schakowsky said. Identity theft and fraud are crimes that pay, said House Commerce Committee Chairman Fred Upton, R-Mich. He commended the bill's narrow approach, as Upton said focusing on protecting “cyber gold” that attracts criminals is needed.

Of seven witnesses on two panels including officials from the FCC, FTC and consumer and industry advocacy groups, only one, former FTC Chairman Jon Leibowitz, now at Davis Polk and representing clients including Comcast, supported the legislation in its current form. All agreed a strong federal law was needed.

The FTC applauds parts of the legislation, such as the sections that give the FTC jurisdiction over common carriers and nonprofits, said Bureau of Consumer Protection Director Jessica Rich. But the agency takes issue with the bill’s pre-emption of state law even though it’s weaker than some state laws and some things are missing from the bill, such as providing strong protections to consumers when geolocation and health data is breached, she said. “A lot of health information is not covered” by the Health Insurance Portability and Accountability Act (HIPAA), Rich said. But the bill wouldn't let the FTC protect consumers in areas where they weren't protected by HIPAA or other privacy laws, she said. Other information Rich said should be protected under the bill’s definition of private information includes stand-alone Social Security, driver’s license, passport or any other government-issued identification numbers, medical and health insurance numbers, Internet of Things devices and pictures of private things happening in homes. Data security and protection law should be applied to some IoT connected devices, Rich said, because not properly securing a pacemaker may not result in financial harm but harms the user. The FTC should be given rulemaking authority to ensure as technology changes and risks evolve, the law keeps pace and consumers are adequately protected, she said.

If Americans can’t communicate privately and securely, they can’t fully exercise the freedoms and other rights afforded to a Democratic society, said FCC Public Safety Bureau Chief Counsel-Cybersecurity Clete Johnson. The bill would alter the legal framework of Section 222 of the Communications Act and the Satellite Television Extension and Localism Act, which protects information such as how many calls a person has made, what time of day the call occurred, who was called, whether the individual has caller ID, call waiting, what TV shows an individual watched, whether the person bought something from the Home Shopping Network, and more, Johnson said. The FTC would have authority where the FCC formerly had authority, Johnson said, but the authority given to the FTC is weakened, he said.

The majority view at the FTC is that it should have jurisdiction over common carriers and jurisdiction should be shared between it and the FCC, Rich said. “We work well together.” She said the FTC doesn’t want to take anything away from the FCC because the agencies can coordinate to ensure there's no duplication and consumers are protected.

Twelve nonprofit organizations, including Consumer Watchdog, Center for Digital Democracy and Public Knowledge, sent a letter to members of the subcommittee Wednesday urging improvements to the bill, including the expansion of what was considered personal information. “Communications record data is among the most private information we have because it easily could reveal the identities of the persons and the places called,” the letter said. The groups also expressed concern with the erosion of data breach protections given consumers under the Communications Act, saying revoking the FCC authority is not just a mistake, but also an “affront to the American people’s expectations for privacy and for their communications services.”

Johnson opposed the bill’s attempt to separate privacy and data security, saying in the FCC’s experience the two are not separate concepts. Rich told Burgess the FTC has brought 55 data security cases since the early 2000s, but has brought hundreds of combined data security and privacy cases in the period. The number of cases the FCC has brought will be submitted in writing to the subcommittee. Information Technology Industry Council General Counsel Yael Weinman applauded the bill’s ability to distinguish between privacy and data security.

Data breach notification is only part of the solution, said Rep. Frank Pallone, D-N.J. The draft legislation creates an unfair standard that likely will be left to judicial interpretation, he said, and doesn’t put consumers in a better place. Pallone, who released a joint statement last week with Schakowsky expressing concern with the bill, said it wasn’t introduced at least a full week before a hearing and said just because it has some Democratic support doesn’t make it a bipartisan measure.

A narrow approach makes sense when 90 percent of consumers are concerned about loss of financial information, said Rep. Peter Welch, D-Vt., who co-wrote the legislation with Rep. Marsha Blackburn, R-Tenn. Johnson said communications data wasn't as important to protect as financial data. Rep. Bobby Rush, D-Ill., agreed with Johnson that Congress shouldn’t waste time trying to deal with privacy and data security separately.

“If Americans are to be adequately protected and informed, federal legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” said National Retail Foundation General Counsel Mallory Duncan. He said the draft legislation doesn’t require third parties, like cloud-based storage services, that handle sensitive data for "covered entities," nor "service providers," such as communications firms, from providing public notice of their breaches of security. “Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit,” he said.