As multiple privacy and data security bills wend their way through the legislative process, three proposals have made significant steps forward.
In a 307 to 116 vote, the House of Representatives passed the Protecting Cyber Networks Act, a bipartisan bill that provides liability protections to companies that share cyber threat information. The next day, House lawmakers passed a similar measure, the National Cybersecurity Protection Advancement Act, and moved both to the Senate. And the controversial Data Security and Breach Notification Act was approved by a House committee, pushing the legislation to the House floor for consideration.
The House Energy and Commerce Committee voted 29 to 20 to approve the data breach notification law, H.R. 1770, which has received mixed reviews. The Act would require businesses to notify consumers affected by a data breach within 30 days if the company determines that “a reasonable risk” of “identity theft, economic loss or economic harm” exists.
Although the bill would create a uniform national standard for data breach notification—a long sought-after request from the business community—it has been criticized by consumer advocates for preempting more stringent state data notification laws. Jessica Rich, director of the Federal Trade Commission’s Bureau of Consumer Protection, testified that the legislation does “not provide the strong protections that are needed to combat data breaches, identity theft, and other substantial consumer harms.”
Multiple changes adding consumer privacy protections were proposed during the Committee’s markup session prior to its vote, including an amendment allowing state attorneys general and consumers to bring suit against businesses and a suggestion to broaden the definition of personally identifiable information to cover geolocation information and health information. Both were rejected, as was a third proposal that would have expanded the notification requirements by removing the economic harm trigger.
The Committee did make one change by lowering the cap on financial penalties per consumer for failed notification from $11,000 to $1,000. The bill will now move to the House floor for consideration.
Also moving through the House are two separate pieces of legislation promoting the sharing of cyber threat information.
House lawmakers overwhelmingly approved H.R. 1560, the Protecting Cyber Networks Act. Companies that voluntarily share cyber threat information would be protected from private and regulatory actions under the proposal, as long as any personal data is removed before data is passed along to the government. The National Cyber Threat Intelligence Integration Center would be tasked with collecting and disseminating the cyber threat information.
Some lawmakers expressed reservations as to whether the measure contains strong enough privacy protections. Rep. Jared Polis (D-Colo.) said the bill “does more harm than good” by “raising enormous concerns about the inappropriate sharing of personal information and surveillance on Americans’ private lives.” Despite such comments, the House voted 307 to 116 to pass the bill to the Senate.
The next day, legislators approved H.R. 1731, the National Cybersecurity Protection Advancement Act, a similar proposal that would encourage cyber threat information sharing while providing a safe harbor to companies. The major difference between the two bills: H.R. 1731 vests authority with the National Cybersecurity and Communications Integration Center of the U.S. Department of Homeland Security.
Passed by a vote of 355 to 63, the NCPAA features a prohibition on federal use of shared information to engage in surveillance and would mandate that DHS establish privacy and civil liberty policies and procedures with regard to the “receipt, retention, use, and disclosure” of information shared.
Both cyber threat sharing proposals received amendments to sunset after seven years.
To read H.R. 1770, click here.
To read H.R. 1560, click here.
To read H.R. 1731, click here.
Why it matters: The question remains whether any of the data security or privacy measures will actually become law. The Senate must now reconcile the two House cyber threat sharing bills with each other as well as a Senate version, while the data breach notification proposal faces growing criticism over a lack of consumer protection.