Having problems with message search?
Privacy
House
Committees Face Off
In Turf War Over Data Security
House Commerce Committee
Chairman Joe Barton (R-Texas) May 24 rejected the idea of seeking a compromise
with the Financial Services Committee over data security legislation, saying
his committee had passed "the strongest bipartisan" data security
measure in the House.
Barton
made his comments after a markup designed to assert his committee's
jurisdiction over the Financial Services bill (H.R. 3997). The Commerce
Committee voted 42-0 to completely replace the Financial Services bill with the
Commerce Committee measure (H.R. 4127).
The
Financial Services Committee held a similar markup the same day. That committee
agreed by voice vote to replace the text of the Commerce Committee bill with
Financial Services language.
Lawmakers
in several committees have grown increasingly concerned about data security
breaches. In a recent case, the Department of Veterans Affairs reported that
personal information, including Social Security numbers, on some 26.5 million
military veterans was breached when an electronic device containing the
information was stolen from the home of a VA employee.
Consumer
groups have endorsed the Commerce Committee bill, but they have raised concerns
about the Financial Services Committee measure, including that it would preempt
stronger state laws and that it would not provide enforcement authority to
state attorneys general.
The
Financial Services bill has prompted similar concerns from Democrats on the
Financial Services Committee, including committee ranking member Barney Frank
(D-Mass.).
Meanwhile,
House Judiciary Chairman James Sensenbrenner (R-Wis.) has introduced a narrowly
crafted data security bill focused on criminal penalties. A markup in that
committee is scheduled for May 25.
Commerce Bill
'Strongest Bipartisan' Measure
Barton told reporters that the
Commerce Committee bill is the "strongest bipartisan bill in the
House."
"The
other committees don't have the totality of jurisdiction that the Energy and
Commerce committee has, and they're not as unified," he said. "I
strongly encourage the speaker and majority leader to accept as the base bill
the Energy and Commerce bill and, to the extent that the other committees have
jurisdiction that this committee doesn't have, add their elements to that base
bill."
House
Financial Services Financial Institutions Subcommittee Chairman Spencer Bachus
(R-Ala.) appeared optimistic that a compromise could be reached.
"We'll
get there," Bachus said May 24 in a BNA interview. "I think this
latest Veterans Affairs data loss is an impetus to move legislation."
Leaders Urging
Single Measure, Oxley Says
House Financial Services
Committee Chairman Michael J. Oxley (R-Ohio) told reporters May 24 that the
three committees working on data security have been directed by House
Republican leadership to craft a single measure.
"Leadership's
charged the three committees with putting together a package that can go to the
floor when we return after Memorial Day," Oxley said, following an address
before the Independent Community Bankers of America.
Recent
news of the VA data breach may be driving the effort for quick floor action,
Oliver I. Ireland, a partner with Morrison & Foerster in
The
VA said May 22 that a data analyst took home a storage device with names,
Social Security numbers, and dates of birth for more than 26 million veterans.
Fallout
from that security failure, one of the largest ever, is being felt on Capitol
Hill and could help drive efforts on data security, according to
"The
publicity of the VA breach may spur some action," he said.
Outlook Uncertain
Lobbyists contacted by BNA
said it is too early to tell what kind of legislation will ultimately go to the
House floor.
"Some
in the Financial Services industry prefer the Financial Services bill, while
some in the tech community like the Commerce Committee bill better," said
Michael Zaneis, director of congressional and public affairs at the U.S.
Chamber of Commerce. "I see the good and bad in each bill and do not have
a preference for either as the vehicle. I guess it is always possible that a
new comprehensive bill would be introduced by the committees, but it is not
likely."
Zaneis
said he did not think the committees had gotten very far in terms of
reconciling the bills. "They've talked but have not gotten into the
details," he said. "That was what today's maneuvering was all about,
each committee positioning itself for the inevitable negotiations."
Although
the Financial Services bill was crafted by a bipartisan group of committee
members, some Democrats, notably ranking member Frank, said it lacked the
consumer protections provided by the Commerce Committee measure.
"I
am particularly concerned that our bill will diminish the rights of
consumers," Frank said. "For example, I believe it will make it
harder to put a credit freeze on" a consumer's credit report in the event
of a security breach. Frank said he also has concerns about provisions in the
Financial Services bill that would preempt tougher state data security
protections.
Bachus
said the Financial Services bill would require federal agencies such as the VA
to implement "strong data security safeguards and immediately
investigate" instances in which a data security breach may have occurred.
Oxley noted that the Commerce Committee bill does not contain a similar
provision addressing federal agencies.
Rep.
Darlene Hooley (D-Ore.) introduced an amendment that would provide funding to
assure that all veterans affected by the recent data breach would be eligible
for sixth months of free credit monitoring. Hooley acknowledged that the
amendment would fall outside the jurisdiction of the Financial Services
Committee and agreed to withdraw it, but she added that she would work with the
Veterans Affairs Committee on the provision.
Bill Differences
Both bills would require
companies to implement programs to safeguard sensitive data and to notify
consumers, as well as the federal government, about breaches.
The
Financial Services measure would require consumer notification if, "at any
time," the company:
becomes aware that a breach of data security is "reasonably likely
to have occurred or be unavoidable," with respect to sensitive financial
personal information handled by the company;
becomes aware of information "reasonably" identifying the
nature and scope of the breach; and
becomes aware that such information
is "reasonably likely to have been or to be misused in a manner causing
harm or inconvenience" against consumers.
Consumer
groups say the notification trigger in the Financial Services bill is so
complex it would make it easy for companies to avoid notifying consumers. Ed
Mierzwinski, consumer program director for the U.S. Public Interest Research
Group, has called the measure the "worst data security bill ever."
U.S.
PIRG and other consumer groups prefer the Commerce Committee bill, which would
require companies to provide consumer notification of any data breach, unless
the company determines there is "no reasonable risk" of identity
theft, fraud, or other unlawful conduct.
The
notification trigger in the Commerce bill was crafted to address concerns from
committee Democrats. Originally, the bill would have required notice of
breaches posing a "significant risk" of identity theft.
Republicans
made several other concessions, including agreeing to language that would:
allow consumers annual access to records maintained on them by data
brokers, as well as the right to have inaccurate information corrected or
labeled as disputed;
require data brokers to establish reasonable procedures to verify the
accuracy of information that they collect and maintain;
require data brokers to regularly monitor security systems for breaches;
and
grant enforcement authority to state
attorneys general.
In
February, Barton said the issue of state enforcement had been a key sticking
point in negotiations. The Commerce Committee bill, as introduced by Rep. Cliff
Stearns (R-Fla.), would have provided enforcement power only to the Federal
Trade Commission.
In
marking up the Financial Services bill, Democrats were in favor of an amendment
offered by Rep. Luis Gutierrez (D-Ill.) to provide for state AG enforcement,
but Republicans rejected it, saying it would hinder efforts to achieve a
uniform national standard. Republicans also defeated amendments to remove or
narrow language in the bill preempting state laws. Democrats argued that the
legislation, as currently written, would preempt state laws with stronger
consumer protections, particularly with regard to allowing consumers to freeze
their credit reports.
Offline 
Send Email