Regulators seek more authority in data breach bill

Shutterstock image: secure data stream.

Federal regulators told lawmakers March 18 they want to see tougher provisions on rulemaking authority and protection of personal information added to data breach notification legislation before it becomes law.

Congress is feeling the heat to pass some form of data protection bill, in the wake of a seemingly endless streak of large-scale hacks of consumer information, most recently the cyberattack against Premera Blue Cross, which compromised information on 11 million customers.

"The reason it's important to do something now is that 2014 was dubbed the year of the breach," said Rep. Marsha Blackburn (R-Tenn.), a co-author of the draft measure and vice-chair of the House Energy and Commerce Committee.

The bill, which was recently released as a discussion draft, would set a national standard for companies to report data breach notifications within 30 days of the discovery of a hack, if there is a risk of financial harm or fraud to consumers. The draft defines personal information as Social Security numbers, as well as account credentials stored by covered commercial companies. The bill would preempt the patchwork of 47 state laws covering data breach notification, but would not intrude on the areas of health care and financial institution data covered by existing law.

"I think this bill is better for consumers than current law," said Jon Leibovitz, who was chairman of the Federal Trade Commission during President Barack Obama's first term and is now co-chairman of the 21st Century Privacy Coalition.

Blackburn and her co-sponsor, Rep. Peter Welch (D-Vt.), are taking a deliberately narrow approach with the legislation, to establish clear rules for the kind of retailer breaches that have compromised the information of hundreds of millions of consumer records nationwide.

"By targeting the most sought-after personal information, and the areas currently lacking federal protections, this bill avoids controversial issues that have derailed past efforts," said Rep. Fred Upton (R-Mich.), chairman of the House Energy and Commerce Committee.

Covering more data

But according to the FTC, this approach might be too narrow.

Jessica Rich, director of the Bureau of Consumer Protection at the FTC, said the categories of covered personal information need to be expanded to include identification numbers for state-issued drivers licenses, passports, and insurance policies -- all potential vectors for identity theft.

Additionally, categories of information such as precise geolocation data, health data, and data collected from Internet-enabled devices are of potential use to hackers, and should be included in the bill.

The FTC would also like to have rulemaking authority to craft rules of the road for data protection and breach notification, to respond to future threats that are not contemplated under the draft.

Another provision would take away authority of the Federal Communications Commission over telecommunications firms whose subscriber data and use information is disclosed, and move it to the FTC.

Clete Johnson, chief counsel for the FCC’s Public Safety and Homeland Security Bureau, worried that if the bill became law as written "the FTC would not have the authority to develop rules to protect the security of consumers' data or update requirements as new security threats emerge and technology evolves."

Even with the liberal Welch as a co-author, some Democrats on the panel oppose the draft, mostly because it would preempt the more stringent state breach notification and data protection laws. The bill has the backing of the Republican leaders on the committee, and appears poised to move, whether or not it is tweaked to bring along more Democrats.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.