Less than a month ago, the White House Office of Personnel Management revealed hackers had stolen the personal information of about 22 million federal workers and others. It was devastating news, but not surprising given the string of data breaches at companies and government agencies in recent months.
Members of Congress complained and forced the resignation of the OPM director, but they are struggling to figure out how to fix the problem. There’s currently no federal standard governing what companies, or government agencies, must do to protect their customers or employees when their servers are hacked.
It’s not that Congress isn’t trying. Back in the spring, Fred Upton, the Michigan Republican who chairs the House Energy and Commerce Committee, expected quick passage of legislation that would set a national standard governing how companies must respond when hackers steal customer data.
At a markup of the bill on April 15, he called it bipartisan and said he expected it on the floor the following week.
But since then, nothing has happened. Upton is working to assuage industry groups from the financial sector that oppose the bill and hopes to have it on the floor this fall. But committee Democrats, who revolted during the markup because the bill would pre-empt state laws, say they see no bipartisan path forward.
At the start of the markup, Republican Marsha Blackburn of Tennessee, the sponsor of the bill, had a Democratic co-sponsor in Peter Welch of Vermont, and said they’d put in years of preparation. “The time to act is now,” she said.
By the markup’s end, Welch had joined all of his fellow Democrats in voting no, dismayed that Republicans had opposed his one big ask — approval of an amendment to expand the definition of personal information in the bill to include health records. “For me, that is a problem,” he said. The committee approved the bill nonetheless. The party line vote was 29-20.
Blackburn and her allies stressed that the measure was narrowly tailored by design to avoid complications in the Senate. The bill says companies would have to have reasonable security measures against hackers in place, and it would require them to investigate hacks of their networks. If they find consumer financial data was stolen, placing customers at risk of fraud, they’d have to notify them within 30 days of stopping the breach.
It focuses exclusively on the theft of financial data that hackers could use to access consumers’ bank accounts, and does not protect other data, such as medical records, television-viewing habits, phone-call records or location information.
Committee staff think they can reach an accommodation with Welch to include more protections for medical records. But they also want to assuage others’ concerns. The Financial Services Roundtable, Credit Union National Association, National Association of Realtors and the NAC’s Association for Convenience & Fuel Retailing, which represents convenience stores, have all said they oppose the bill.
Their concerns vary. The realtors say the requirement that firms have reasonable security standards in place is too vague. The banks and credit unions say they are already covered by federal banking laws and the bill should be clearer that they are exempt from new rules. The convenience stores believe the bill would saddle them with notifying customers of breaches of their vendors, including telecommunications firms and Internet service companies.
The consumer notice required in the bill would have to include a description of the information that was stolen, the approximate date of the breach, a telephone number that a consumer could call to get more information and a number for a credit reporting agency as well as one for the Federal Trade Commission, where consumers could get more information about identity theft.
The bill also would require companies to notify the Federal Trade Commission, the Secret Service and the FBI if a breach affects more than 10,000 customers. It would task the FTC with enforcing violations of the law.
State attorneys general could seek civil penalties of up to $1,000 per stolen record for first-time offenders and up to $11,000 per record for subsequent offenses.
Welch’s biggest problem is the definition of personal information in the bill, but his fellow Democrats also don’t like the bill’s pre-emption of 47 state laws, some of which are stronger than the federal bill. The state laws, for instance, have broader definitions of personal information. Some also allow civil suits against companies that lose control of customer data, which the federal bill does not.
Welch says that pre-emption is necessary because commerce, especially on the Internet, crosses state lines. “Where is the protection for the consumer who lives in a state where there is a good law? Vermont is an example of that, but the breach occurs with a company in, say, Montana, or Texas or New York?” he asked.
For businesses, too, pre-emption is the sweetener to get them to accept new requirements without a fight. They’d rather comply with one federal law than a patchwork of state rules with varying requirements.
But other Democrats, including ranking member Frank Pallone Jr. of New Jersey, say the pre-emption would reduce protections for people who live in states with tough laws.
Energy and Commerce Committee leaders earlier this month wrote to agency officials at the FTC and the Consumer Financial Protection Bureau to ask what more the agencies could do to ensure people whose data was stolen could protect themselves. They never mentioned their bill.
On Monday, bipartisan Energy and Commerce leaders also asked the Government Accountability Office to report on how the government and private businesses protect consumers once data breaches have occurred.