"Consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes," said Rep. Mary Bono Mack, R-Calif., the subcommittee's chair and bill's sponsor.
The Secure and Fortify Electronic Data Act, or SAFE Data Act, goes to the full Energy and Commerce Committee for consideration.
If enacted, the SAFE Data Act would preempt breach notification laws in 47 states and require notification of consumers within 48 hours after identifying specific information that was breached, unless it was an inadvertent breach unlikely to result in harm. The bill, HR 2577, would grant the Federal Trade Commission authority over not-for-profit organizations for purposes of this act only.
The ranking Democrat on the full committee, Rep. Henry Waxman of California, said the biggest loophole in the bill is its definition of personal information, contending the bill wouldn't protect most personal information stored online or in a company database.
"There is no protection for personal e-mails; no protection for personal photographs and videos stored on-line; no protection for records of book, video, and other consumer purchases; no protection for records of purchases of over-the-counter drugs, including pregnancy tests; no protection for payroll records," he said.
At a hearing last month, FTC Commissioner Edith Ramirez endorsed the bill, lauding provisions to authorize the use of standard notice and comment procedures rather than a more burdensome rulemaking process under the FTC Act (see Draft of Breach Notification Bill Criticized). That, Ramirez said, would allow the FTC to promulgate rules more timely and efficiently. She also said the FTC supports provisions authorizing the agency to obtain civil penalties for violations. "Civil penalties are particularly important in areas such as data security, where the commission's traditional equitable remedies - including consumer restitution and disgorgement - may be impractical or not optimally effective," she said.
Mack Bono said the legislation would require:
- Companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.
- The notification of law enforcement within 48 hours after discovery of a breach, unless that breach was an innocent or inadvertent breach unlikely to result in harm.
- Organizations to begin notifying consumers 48 hours after taking steps to prevent further breach and determining who has to be notified.