Regulators seek more authority in data breach bill

Shutterstock image: secure data stream.

Federal regulators told lawmakers March 18 they want to see tougher provisions on rulemaking authority and protection of personal information added to data breach notification legislation before it becomes law.

Congress is feeling the heat to pass some form of data protection bill, in the wake of a seemingly endless streak of large-scale hacks of consumer information, most recently the cyberattack against Premera Blue Cross, which compromised information on 11 million customers.

"The reason it's important to do something now is that 2014 was dubbed the year of the breach," said Rep. Marsha Blackburn (R-Tenn.), a co-author of the draft measure and vice-chair of the House Energy and Commerce Committee.

The bill, which was recently released as a discussion draft, would set a national standard for companies to report data breach notifications within 30 days of the discovery of a hack, if there is a risk of financial harm or fraud to consumers. The draft defines personal information as Social Security numbers, as well as account credentials stored by covered commercial companies. The bill would preempt the patchwork of 47 state laws covering data breach notification, but would not intrude on the areas of health care and financial institution data covered by existing law.

"I think this bill is better for consumers than current law," said Jon Leibovitz, who was chairman of the Federal Trade Commission during President Barack Obama's first term and is now co-chairman of the 21st Century Privacy Coalition.

Blackburn and her co-sponsor, Rep. Peter Welch (D-Vt.), are taking a deliberately narrow approach with the legislation, to establish clear rules for the kind of retailer breaches that have compromised the information of hundreds of millions of consumer records nationwide.

"By targeting the most sought-after personal information, and the areas currently lacking federal protections, this bill avoids controversial issues that have derailed past efforts," said Rep. Fred Upton (R-Mich.), chairman of the House Energy and Commerce Committee.

Covering more data

But according to the FTC, this approach might be too narrow.

Jessica Rich, director of the Bureau of Consumer Protection at the FTC, said the categories of covered personal information need to be expanded to include identification numbers for state-issued drivers licenses, passports, and insurance policies -- all potential vectors for identity theft.

Additionally, categories of information such as precise geolocation data, health data, and data collected from Internet-enabled devices are of potential use to hackers, and should be included in the bill.

The FTC would also like to have rulemaking authority to craft rules of the road for data protection and breach notification, to respond to future threats that are not contemplated under the draft.

Another provision would take away authority of the Federal Communications Commission over telecommunications firms whose subscriber data and use information is disclosed, and move it to the FTC.

Clete Johnson, chief counsel for the FCC’s Public Safety and Homeland Security Bureau, worried that if the bill became law as written "the FTC would not have the authority to develop rules to protect the security of consumers' data or update requirements as new security threats emerge and technology evolves."

Even with the liberal Welch as a co-author, some Democrats on the panel oppose the draft, mostly because it would preempt the more stringent state breach notification and data protection laws. The bill has the backing of the Republican leaders on the committee, and appears poised to move, whether or not it is tweaked to bring along more Democrats.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

  • innovation (Sergey Nivens/

    VA embraces procurement challenges at scale

    Steve Kelman applauds the Department of Veterans Affairs' ambitious attempt to move beyond one-off prize-based contests to combat veteran suicides more effectively.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.