The House Energy and Commerce Committee approved a controversial bill creating national data security standards after a chaotic markup that revealed deep Democratic concerns about the measure.
The Data Security and Breach Notification Act appears headed for further changes prior to a vote by the full House. The committee approved it on a party-line vote of 29-20.
{mosads}Wednesday’s markup exposed a rift between Energy and Commerce members on key matters, including whether the bill should preempt stronger consumer data protections at the state level.
Ranking Member Rep. Frank Pallone (D-N.J.) called the legislation “deeply flawed.”
“I am very concerned,” he said. “I just think that this is moving much too quickly. There are a lot of changes that I think need to be made. I’m very concerned, particularly, about the preemption issue. All of these things need a lot of time and work … I would like to see the process slowed down.”
The bill from Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) is designed to replace the patchwork of state data security and breach notification laws.
Currently, companies that experience a data breach or hack must comply with a variety of requirements across the country. Lawmakers consider it a priority to at least streamline the requirement for consumer notification.
The presence of a national data security standard in the bill has caused problems from the beginning. Democrats and privacy groups argue that replacing stronger state laws will leave consumers vulnerable.
A series of Democratic amendments to make the standard more specific, to create a floor for data security requirements and to avoid a level of preemption failed. A manager’s amendment and a change capping federal penalties for some breached companies passed with support from Republicans, along with a handful of other amendments.
Republicans rejected the proposals by saying they are trying to keep the bill “narrowly tailored.” Chairman Fred Upton (R-Mich.) suggested that several Democratic changes would hamper the bill’s chances of passing the Senate.
“I say this with a smile — I don’t expect to [pass the bill under] suspension,” Upton said, referring to non-controversial measures that require a two-thirds majority vote on the House floor.
The legislation would require companies to maintain “reasonable security measures and practices” to protect consumer data, and to disclose breaches when there is a risk of consumer harm. The notification would be required to take place within 30 days of when a company determines the scope of a breach and restores their systems.
In a sign of the controversy surrounding the bill, its lead Democratic cosponsor ultimately voted against it after supporting an amendment from Rep. Bobby Rush (D-Ill.) that would significantly alter the measure’s approach.