Last year was “the year of the data breach,” with Target, Home Depot and Sony the most prominent in a long list of compromised companies.
Never letting a good lawmaking opportunity go to waste, an equally long list of legislators in the 2015-2016 Congress have signed on to more than half a dozen data breach and data security bills, with more in the works.
All of the bills grapple with how to impose data security standards to prevent Target and Home Depot-like breaches that have compromised the personal information of hundreds of millions of consumers and cost companies on average $3.5 million, according to a IBM-funded study from Ponemon Institute. Target’s breach cost the company $162 million.
None of the bills spell out detailed standards -- and many delegate their specificity to the Federal Trade Commission, a prospect that worries CIOs at many companies.
The bills would all impose hard deadlines on when companies need to notify impacted customers that a breach had occurred.
Advertisers, along with retailers and other businesses, have been pushing for national data breach legislation to preempt a patchwork of 47 state data security and breach laws.
But so far, none of the bills have gotten very far, running into the same debates that have plagued prior attempts over the past few years.
Democrats are largely opposed to any federal standard that preempts stricter state laws, while Republicans don’t want to see too much more authority bestowed on the Federal Trade Commission.
The Data Security and Breach Notification Act, which recently cleared the House Energy and Commerce Committee in a 29-20 party line, exposed the divide between Democrats and Republicans.
That bill, authored by Rep. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.), started off as a bipartisan effort, but eventually Welch bailed on the measure.
“The bill weakens existing consumer protections,” said House Commerce ranking member Frank Pallone (D-N.J.) during a markup of the measure. “Many of the 51 state and territorial breach notification laws provide greater protections for consumers…38 state laws are stronger than this bill,” he said.
As the debate continues, more bills are queuing up for their turn in the legislative sausage grinder.
The most recent was introduced Friday by Reps. Randy Neugebauer (R-Tex.), chairman of the Financial Institutions and Consumer Credit subcommittee and Rep. John Carney (D-DE). The Neugebauer-Carney bill is the House counterpart to the Senate bill introduced by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) last month.
Just a day before, the Consumer Privacy Protection Act was introduced by Senate Judiciary Chairman Patrick Leahy (D-Vt.) with Democratic co-sponsors Sens. Al Franken (Minn.), Elizabeth Warren (Mass.), Richard Blumenthal (Conn.), Ron Wyden (Ore.), and Ed Markey (Mass.).
And that was just this week.
The other bills introduced this year: Two bills in January, one from Sen. Bill Nelson (D-Fla.) and one from Reps. Joe Barton (R-Tex.), and Bobby Rush (D-Ill.). Earlier this month, Sens. Mark Kirk (R-Ill.) and Kirsten Gillibrand (D-N.Y.) introduced a bill. Sen. John Warner (D-Va.) is also working on a bill.