Export Compliance Daily is a Warren News publication.
Pre-Emption Questions

House Commerce Subcommittee Optimistic About Passing National Data Breach Notification Bill

House Commerce, Manufacturing and Trade Subcommittee members said they're optimistic that the House can produce a bipartisan national data breach notification bill. Still, their questions during a Tuesday hearing revealed lingering concerns about the bill's details. Subcommittee Chairman Michael Burgess, R-Texas, said he believes it’s “achievable” for Congress to pass a national data breach bill this session. House Commerce Committee Chairman Fred Upton, R-Mich., said Congress will need to “get it right” on data breaches “before we try to tackle some of the other concerns” about cybersecurity.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Burgess echoed Upton and other subcommittee Republicans in supporting a requirement that the House’s data breach bill pre-empt similar laws on the books in 47 states, Washington, D.C., Guam, Puerto Rico and the U.S. Virgin Islands. “It’s clear most of us agree on pre-emption,” Burgess said. Burgess and Upton had indicated after the White House pushed earlier this month for a national data breach bill that the committee would make advancement of a bill one of its first priorities (see 1501120043). Senate Commerce Committee ranking member Bill Nelson, D-Fla., introduced the Data Breach Security and Breach Notification Act (S-177) this month to mirror the White House’s legislative proposal (see 1501140046).

Subcommittee Democrats largely indicated concerns with pre-empting existing state laws if the national law ends up being weaker than the strongest state data breach laws. They include existing laws in California and Illinois and a proposed strengthening of New York’s law (see 1501160052). Seven states, including New York, have proposed strengthening their data breach laws since the beginning of the year.

House Commerce ranking member Frank Pallone, D-N.J., cautioned against replacing the strongest state laws with a “single weak national standard.” Subcommittee ranking member Jan Schakowsky, D-Ill., said a national data breach law shouldn’t weaken a state attorney general's ability to enforce a notification law. Rep. Peter Welch, D-Vt., said he’s generally against pre-emption but he has “been persuaded that if we can get the right standard, this is one of those situations where it really makes sense to have pre-emption.” Welch and House Commerce Vice Chairwoman Marsha Blackburn are collaborating on a data breach bill. Industry lobbyists have told us they believe state governments with the strongest laws are likely to fight against pre-emption if they believe a national bill’s provisions are weaker than what’s already in place.

Three of four witnesses at the House Commerce hearing strongly favored pre-emption. Elizabeth Hyman, executive vice president-public advocacy for CompTIA’s TechAmerica public policy division, said “strong pre-emption language” is necessary because the current patchwork of state laws “creates significant compliance costs” and creates confusion for companies that are typically “under the umbrella of multiple state laws at all times.” Hyman said she'd be willing to support a strong national law that also provides a role for states’ attorneys general provided there's also a role for the FTC. Brian Dodge, Retail Industry Leaders Association executive vice president-communications, said he believes national pre-emption is “critical” and would support a strong standard. Woodrow Hartzog, a data breach law expert at Samford University’s Cumberland School of Law, said he generally has “reservations” about national pre-emption of state data breach laws but wouldn’t oppose pre-emption if a national standard mirrored the strongest state laws.

Subcommittee members also focused on possible parameters for determining which data breaches would require notification. Acxiom Chief Privacy Officer Jennifer Glasgow urged the subcommittee not to set standards that would lead to over-notification of data breaches, saying industry is generally “very sensitive” to inundating consumers with such notifications. Dodge said consumers “should have a strong expectation” that companies will notify them of data breaches only when there’s evidence of access to information that actually presents a risk of harm. Further state-level experimentation is needed to ensure consumers aren’t saturated with messages, but “we lose out” when the number of notifications drops because “there’s value” in consumers being reminded about data breach risks, Hartzog said.