House Energy and Commerce Task Force on Privacy
On August 1, 2013, Chairman Lee Terry (R-NE) and Ranking Member Jan Schakowsky (D-IL) of the House Energy and Commerce Committee’s (“Committee”) Subcommittee on Commerce, Manufacturing, and Trade (“Subcommittee”) announced the formation of a new bipartisan Privacy Working Group (“Working Group”). The Working Group has been tasked with examining online privacy matters and the need to protect personal information in a way that preserves and promotes innovation. Specifically, Chairman Terry has asked the Working Group to explore “what we need to fix or if we need to fix anything.”1
Representative Marsha Blackburn (R-TN), who also serves as Vice Chair of the Committee, along with Representative Peter Welch (DVT), have been appointed to co-chair the Working Group. Other members of the Working Group include Representatives Barton (RTX), McNerney (D-CA), Olson (R-TX), Pompeo (R-KS), Rush (D-IL), and Schakowsky (D-IL). These Representatives serve on the Subcommittee, which maintains jurisdiction over privacy matters.
The Working Group is expected to identify areas of common ground and to provide recommendations to the Subcommittee for its consideration. No formal timetable has been announced for the Working Group to complete its work.
House Energy and Commerce Subcommittee Hears from Industry on Reforming Breach Notification Laws
On Thursday, July 18, 2013, Representative Lee Terry (R-NE), Chairman of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, convened a hearing titled “Reporting Data Breaches: Is Federal Legislation Needed to Protect Consumers,” to examine whether there is a need for federal breach notification legislation.
While stressing the need to reform the patchwork of state data breach laws and to ensure that consumers’ data is protected, Chairman Terry cautioned against taking legislative or regulatory action that would add unnecessary compliance costs to the system. Ranking Member Jan Schakowsky (D-IL) called for a national standard for data breach notification and enforcement that would serve as the floor – not the ceiling – for state legislation and enforcement. Representative Joe Barton (R-TX) and Representative Henry Waxman (D-CA), Ranking Member of the full Committee, agreed with Rep. Schakowsky’s approach.
Industry witnesses focused on the high cost of compliance with the many breach notification laws and regulations across the country. The industry representatives generally supported a single, technology-neutral federal breach notification standard to replace the patchwork of state laws. Issues such as safe harbor provisions, the scope of personally identifiable information, and notification thresholds were raised but not discussed in detail. The two legal scholars testifying at the hearing discussed several concepts for policymakers to consider for breach notification reform, such as preemption, burdens of proof, and centralization of enforcement.
While other data issues, such as data aggregation and identity theft, were mentioned in passing, the substance of the hearing remained focused on breach notification issues.
The Senate Committee on Commerce Considers Cybersecurity
On July 24, 2013, Chairman Rockefeller (D-WV) and Ranking Member Thune (R-SD) of the Senate Commerce Committee introduced S. 1353, the Cybersecurity Act of 2013. The bill is intended to provide for an ongoing partnership between the public and private sectors to improve cybersecurity, as well as to increase cybersecurity research, workforce development, and education. Specifically, the bill would amend the National Institute of Standards and Technology Act to permit the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure.
The bill does not include information sharing provisions, which have previously drawn the attention of privacy and civil liberties advocates. Instead the bill avoids the information sharing question altogether by prescribing the development of a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to “identify, assess, and manage cyber risks,” without providing requirements for what that approach must contain.
The bill currently has the support of different voices in the business community, but its potential for passage remains unclear.