The House Financial Services Committee completed the markup of the Data Security Act of 2015 (H.R. 2205) on Tuesday, a bill to strengthen protections for consumers against identity theft and fraud.
H.R. 2205 aims to require non-government entities that access, maintain, communicate, or handle sensitive financial account information or nonpublic personal information implement an information security program. The program would notify customers, federal law enforcement, appropriate administrative agencies, payment card networks, and consumer reporting agencies of certain data breaches of unencrypted information likely to cause identity theft or fraudulent transactions on consumer financial accounts.
“Today and every day this year, there will be 117,334 cyber incidents against the United States economy,” according to a PwC study. Protection of consumer financial data must be one of the top priorities in every sector of the economy. Unfortunately, Congress has struggled for over a decade to create a comprehensive data security and breach notification regime,” sponsor Rep. Randy Neugebauer (R-Texas), said in his opening statement arguing for the need of this legislation.
H.R. 2205 was co-sponsored by Rep. John Carney (D-Del.). The bill passed the committee 46-9.
Before passage, Neugebauer introduced a manager’s amendment to rewrite the bill following discussions with Ranking Member Maxine Waters (D-Calif.). Three main changes include a backup enforcement role for states attorneys general to ensure states maintain a role in the process, the harm trigger was amended to enhance consumer protection, and the timing of notification was clarified to make it more consistent with the majority of state laws.
This first amendment was approved by a voice vote.
Waters supported the bill’s aims but had remaining concerns regarding preemption of state laws. She quoted California Attorney General Kamala Harris, commenting “The data security and breach notification act would completely preempt California law that only data breach but also on information security. Should any final legislation have preemption provisions, we would prefer they be limited only to State laws that are less protective than or in conflict with the proposed law.”
Waters highlighted that 12 states have laws that cover data breaches in a manner similar to H.R. 2205 and failed in her effort to add an amendment to the bill ensuring any states that had similar laws would not be preempted if they did not conflict with the new bill. The vote failed 20-36.
Despite the bill’s strong committee support, several consumer and privacy groups opposed the act.
Although opponents approve of the commitment to improve data security and breach notification protections, the bill “would still weaken consumer protections in a number of ways, and eliminate protections altogether for some categories of personal information,” the coalition of opponents said in a letter addressed to Chairman Jeb Hensarling (R-Texas) and Waters.
The bill also does not improve the level of protection for consumers because most states already require notification after a data breach and both federal and state consumer protection law previously requires reasonable data security practices, the coalition said.
The opponents said H.R. 2205 would eliminate data security and breach notification protections for telecommunications usage information and cable and satellite viewing histories. While the Communications Act contains “very strong data security and breach notification protections for information about customers’ use of telecommunications services, such as phone call histories and location data,” the coalition said H.R. 2205 “is too narrow to cover that information.”
The coalition includes the Center for Democracy & Technology, Center for Digital Democracy, Consumer Action, Consumers Union, Consumer Watchdog, New America’s Open Technology Institute, the National Consumers League, and Public Citizen.