National Breach Notification Bill AdvancesAmendments to Keep Some State Safeguards Rejected Efforts by some Democratic members of a House subcommittee to amend a national data breach notification bill so that states could retain tougher data security requirements have failed.
See Also: HIPAA Audits: A Revised Game Plan
After voting down Democratic-sponsored amendments, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade approved March 25 the Data Security and Breach Notification Act of 2015, moving the legislation to create a national standard for data breach notification one step closer to a House vote (see: Barriers to a Breach Notification Law). The measure's next stop is the full Energy and Commerce Committee.
Sponsors of the measure are Reps. Marsha Blackburn, R-Tenn., and Peter Welch, D-Vt. (see: Seeking Compromise on Data Breach Notice Bill).
The legislation, if enacted, would usurp the breach notification laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C. - in favor of a single federal statute. It also would pre-empt provisions in the laws of some states that define specific security measures companies must take to safeguard the personally identifiable information of consumers. The federal notification bill would only require businesses and other organizations to implement and maintain "reasonable security measures and practices" to secure personal information.
One of the amendments rejected by the committee would have allowed states to define specific security measures.
"The [bill] eliminates state data security laws with an unclear standard that surely will be litigated and left to judicial interpretation," said Rep. Frank Pallone, the New Jersey Democrat who is the full committee's ranking member.
Welch, one of the bill's sponsors, pointed out that states weren't shut out of the legislation because their attorneys general, along with the Federal Trade Commission, would enforce a national data breach notification law.
The bill would require consumer notification no later than 30 days after the organization has taken "necessary measures" to determine the scope of the breach and restored the reasonable integrity, security and confidentiality of the data systems.
Each violation of the proposed law would be subject to a fine of up to $2.5 million. Organizations that must comply with the Health Insurance Portability and Accountability Act's breach notification requirements would be exempt from compliance.
The measure would require organizations to conduct a good faith investigation after discovering a breach to determine if there is a reasonable risk of identity theft, economic loss or harm, or financial fraud.