Despite Focus in Congress, 2011 Passage of Data Notification Bills Unsure, Say Some Experts

Bills introduced by Reps. Mary Bono Mack, R-Calif., Bobby Rush, D-Ill., and Sens. Mark Pryor, D-Ark., and Jay Rockefeller, D-W.Va., designate the FTC to promulgate regulations for businesses that handle personal data. A bill from Sen. Patrick Leahy, D-Vt., calls for tough criminal penalties for those concealing a security breach. Other data security and breach bills were introduced by Sens. Dianne Feinstein, D-Calif., and Tom Carper, D-Del., and Rep. Cliff Stearns, R-Fla.

Carper, whose Data Security Act was introduced last month, said he’s looking for a measure to be passed this year. “I am hopeful that this year, Congress will take action and replace the current patchwork of state laws regarding data breach and establish a national law that provides uniform protections and procedures for all Americans,” he said in a statement. “I will continue to work with my colleagues to move this effort forward.” Bono Mack is confident that HR-2577, the Secure and Fortify Electronic Data Act, “will get the energy out of the Commerce Committee and the House as well,” said Ken Johnson, an aide for Bono Mack, chairman of Commerce’s Manufacturing Subcommittee. “Then we'll start searching for a vehicle to get it done in the Senate.” The biggest hurdle to clear is getting people to focus on the problem, he said. “With the ongoing debate over our nation’s debt and the importance of cutting federal spending, it’s not easy to get people to concentrate on other issues."

With a high-profile rash of breaches this year, Congress has a stronger impetus to pass legislation, said David Sohn of the Center for Democracy & Technology. Congress began looking at data breach in 2005, he said. But “Congress never quite gets over the finish line of combining bills or reconciling them,” he said. More debate on the bills, not movement, is expected this year, said Daniel Castro of the Information Technology and Innovation Foundation. What could spur more action is a massive breach this year, he said.

Including provisions from some of the bills in other legislation on larger issues is a possibility, Sohn and Castro said. “We could see it pulled into comprehensive baseline privacy legislation,” Castro said. “We'll probably see more progress and debate around this.” However, “I don’t think Congress has decided what form of privacy legislation they want to impose on industry,” he said. There’s still a lot of debate over whether self-regulation can be an effective tool, he added.

Baking a data breach subsection into a larger bill, like the Commercial Privacy Bill of Rights Act from Sen. John Kerry, D-Mass., could make it a lot tougher for it to get passed, said Lisa Branco, a privacy and security attorney at Zwillinger Genetski. Keeping data breach separate would be easier because “it’s less controversial than some other things,” she said.

"We're confident that Chairman Bono Mack’s legislation will be the bill that eventually gets out of the House,” Johnson said. “But clearly, she believes very strongly that Congress needs to take action and she’s willing to compromise where it makes sense."

The pending bills do not address the problems with the major breaches that occurred this year, Branco said. There’s a lot of impetus to get something passed, but those incidents “wouldn’t be implicated by the bills that are currently in play,” she said. For example, names and email addresses were compromised during the Epsilon incident in March, she said. “If you just have names and emails that are breached, you're not required by these bills to notify consumers.”

Similarities between some of the bills also make it hard to determine a winner, Sohn said. “It’s not like there’s one bill that’s head and shoulders above every one else,” he said. “Congress can decide to go forward on one, but there would have to be some cooperation with the leadership of the different committees where each bill was introduced.”