House Dem to introduce separate data breach bill

A co-chairman of the House Cybersecurity Caucus is planning to introduce a data breach bill that would not create federal security standards for private companies.

Rep. Jim Langevin (D-R.I.) announced that he will release two cyber-related measures on Thursday: one to require companies to disclose data breaches to affected customers within 30 days of discovery, and another to establish a cyber-related office within the executive office of the president.

{mosads}Langevin’s data breach notification measure will compete directly with legislation approved Wednesday by the Energy and Commerce Subcommittee on Trade.

That bill, from Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.), would require companies to inform affected customers of a data breach within 30 days once the networks are secured.

The Data Security and Breach Notification Act would also require companies to maintain reasonable security practices.

Langevin said Thursday that he believes data security should continue to be regulated at the state level.

“The states have done a pretty good job of defining and putting in thorough requirements on data security,” the Rhode Island Democrat said at an event hosted by Bloomberg Government.

“So I want to leave that right now with the states. [My colleagues] deal with it more broadly in their bill, and I’m fine with considering that.”

Several key Democrats object to the current draft of the Blackburn-Welch bill because they argue it would pre-empt stronger state data security protections.

Rep. Joseph Kennedy (D-Mass.) offered two amendments during Wednesday’s markup to prevent the bill from pre-empting state data security requirements and pertinent common law. The changes lacked Republican support and did not pass.

The bill appears to be headed for further changes before it is considered by the full Energy and Commerce Committee, and members are likely to debate Langevin’s notification-only approach in the coming days.

The other bill set to be introduced on Thursday would create a point person for the cybersecurity of the .gov domain at the White House. Langevin said the individual would have “policy and budgetary authority” to marshal a whole-of-government effort to protect federal websites.