House Panel Clears Breach Notification Bill SAFE Data Act Would Nationalize Breach Notification
The House Subcommittee on Commerce, Manufacturing and Trade approved by a voice vote Wednesday a version of a data breach notification bill that its Republican sponsor says would enhance protection of personal information by establishing uniform national standards.

"Consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes," said Rep. Mary Bono Mack, R-Calif., the subcommittee's chair and bill's sponsor.

The Secure and Fortify Electronic Data Act, or SAFE Data Act, goes to the full Energy and Commerce Committee for consideration.

If enacted, the SAFE Data Act would preempt breach notification laws in 47 states and require notification of consumers within 48 hours after identifying specific information that was breached, unless it was an inadvertent breach unlikely to result in harm. The bill, HR 2577, would grant the Federal Trade Commission authority over not-for-profit organizations for purposes of this act only.

The ranking Democrat on the full committee, Rep. Henry Waxman of California, said the biggest loophole in the bill is its definition of personal information, contending the bill wouldn't protect most personal information stored online or in a company database.

"There is no protection for personal e-mails; no protection for personal photographs and videos stored on-line; no protection for records of book, video, and other consumer purchases; no protection for records of purchases of over-the-counter drugs, including pregnancy tests; no protection for payroll records," he said.

But Republican contend the SAFE Data Act is about breach notification and not overall privacy that is being addressed in other legislation.

At a hearing last month, FTC Commissioner Edith Ramirez endorsed the bill, lauding provisions to authorize the use of standard notice and comment procedures rather than a more burdensome rulemaking process under the FTC Act (see Draft of Breach Notification Bill Criticized). That, Ramirez said, would allow the FTC to promulgate rules more timely and efficiently. She also said the FTC supports provisions authorizing the agency to obtain civil penalties for violations. "Civil penalties are particularly important in areas such as data security, where the commission's traditional equitable remedies - including consumer restitution and disgorgement - may be impractical or not optimally effective," she said.

Mack Bono said the legislation would require:

  • Companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.
  • The notification of law enforcement within 48 hours after discovery of a breach, unless that breach was an innocent or inadvertent breach unlikely to result in harm.
  • Organizations to begin notifying consumers 48 hours after taking steps to prevent further breach and determining who has to be notified.

About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network