A U.S. House of Representatives subcommittee has voted to approve a bill that would require companies to notify affected customers about data breaches and would require businesses holding personal information to establish data security programs.
The House Energy and Commerce Committee's trade subcommittee approved the Secure and Fortify Electronic Data Act (SAFE Data Act) by a voice vote Wednesday, after hours of debate on the legislation. Democrats on the subcommittee offered several amendments in an effort to broaden the types of personal data the bill would cover, but the majority Republicans rejected the amendments.
The bill is filled with "loopholes that sacrifice data security and privacy," said Representative Henry Waxman, a California Democrat. "A bill that is supposed to be enhancing data security and consumer privacy would actually seriously undermine it."
Representative Mary Bono Mack, the subcommittee chairwoman and a California Republican, urged lawmakers to move forward with the legislation, which she sponsored.
"It's time for Congress to take decisive action," she said. "Sophisticated and carefully orchestrated cyber-attacks -- designed to obtain personal information about consumers, especially when it comes to their credit cards -- have become one of the fastest-growing criminal enterprises here in the United States and across the world."
The bill now heads to the full committee for debate and a vote. The legislation would require businesses to report data breaches within 48 hours in most cases, and it would require the U.S. Federal Trade Commission to create data security rules for businesses that hold personal data.
U.S. lawmakers have attempted to pass breach notification bills for several years without success.
Several Democrats opposed the bill, saying it would preempt stronger state laws. More than 45 states now have data breach notification laws.
Bono Mack's bill also does not protect personal information such as over-the-counter drug purchases, e-mail addresses, payroll records, and online pictures and videos, Democrats argued.
The bill would require breach notifications only when a customer's name, phone number or credit card numbers were compromised along with a Social Security number, driver's license number, or other government ID, Democrats said. The bill would not require notification if a Social Security number, credit card number or bank account number was compromised, unless it were combined with other personal information, Waxman said.
The definition of personal information in the bill is "far too limited," said Representative G.K. Butterfield, a North Carolina Democrat.
Republicans defended the bill, saying it strikes the right balance between consumer protection and overly aggressive regulation.
The bill is "a measured response to an identified problem," said Representative Fred Upton, a Michigan Republican and chairman of the full committee. "Data breaches of consumers' personal information -- whether by accident or deliberate criminal activity -- can lead to identity theft, fraud, and other unlawful conduct."
Sign up for Computerworld eNewsletters.