The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade has approved a data security bill by a voice vote, moving it to the full Energy and Commerce Committee for consideration. The Secure and Fortify Electronic Data (“SAFE Data”) Act would establish national rules for securing data containing personal information, as well as requirements for notifying affected individuals in the event of a breach. The rules would apply to any person engaged in interstate commerce who possesses data containing personal information related to that commercial activity. Specifically, the bill would require covered entities (including nonprofits) to maintain information security procedures to prevent breaches, and to notify affected individuals within 48 hours of discovering an electronic data breach of personal information.
Under the legislation, the Federal Trade Commission (“FTC”) would implement and enforce the regulations, and state attorneys general or other state officials would also have enforcement authority to bring civil actions. The bill would preempt state information security and breach notification laws, but not state consumer protection laws or state trespass, contract, tort, or fraud law.
Chair of the subcommittee, Rep. Mary Bono Mack (R-CA), noted in a press release that the legislation builds on information that the subcommittee examined during recent hearings, which focused on this year’s data breaches at Sony and Epsilon. The subcommittee also approved an amendment striking the FTC’s authority to use its Administrative Procedure Act rulemaking process to modify the bill’s definition of “personal information,” which the bill defines as an individual’s first name or initial and last name or address or phone number in combination with a social security number; a driver’s license or other similar identification number on a government document; financial account number or credit card or debit card number and any required security code.