No Federal Standards on Consumer Data Protection

Posted July 22, 2015 at 10:29am

The data breach issue isn’t new to Congress. Back in 2009, the House passed legislation to task the Federal Trade Commission with writing rules governing how companies protect customer data in their possession.

That data was defined as financial, but the bill authorized the FTC to expand it. The legislation would have required companies to implement security procedures and to notify consumers if their data was stolen.

Bobby L. Rush, the Illinois Democrat who sponsored the measure, said at the time it was, “unacceptable that in 2009 there is no comprehensive federal law that requires all companies that hold consumers’ personal information to protect that data.”

The Rush bill died in the Senate and six years later, there’s still no federal standard in place. Rush revived his bill as an amendment when the House Energy and Commerce Committee marked up data breach legislation by Republican Marsha Blackburn of Tennessee in April.

The Blackburn bill is similar. One big exception: Her legislation would not give the FTC rule-making authority to expand the definition of personal information. Blackburn said that was by design, to avoid complications and give her measure a better chance of enactment: “Our bill is narrow. It is narrow for a reason.”

Rush’s amendment fell on party lines, but two Republicans voted with him, including former Energy and Commerce Chairman Joe L. Barton of Texas. Barton noted he had co-sponsored the Rush bill in 2009, and said the committee had approved it then on a voice vote and the House had passed it similarly.

“The problem that people like myself have with the current work product is that it doesn’t, in my opinion, go far enough to protect the individual, and identify those individual items that truly should be protected,” he said.