Panel to take up new version of data breach bill

Rep. Mary Bono Mack , R-Calif., has released a new version of legislation aimed at addressing some of the concerns with a draft measure setting national rules for when companies and organizations must notify federal authorities and consumers after a data breach.

The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade is set to mark up the bill Wednesday. Mack, the subcommittee's chairwoman, made several changes to a draft measure she released last month in response to concerns raised at a June 15th hearing by committee Democrats, privacy advocates and the Federal Trade Commission.

While similar versions of the legislation have been offered in recent years, the issue has gained new urgency after a series of high-profile data breaches at such companies as Sony and Citibank resulted affected the personal information of millions of consumers. Sony was criticized in particular for waiting several days before notifying consumers that its PlayStation network had been hacked.

"My legislation is crafted around a guiding principle: Consumers should be promptly informed when their personal information has been jeopardized," Bono Mack said in a statement Tuesday. "The time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification, and we need it now."

Bono Mack's bill requires companies that possess personal data about consumers to take adequate steps to safeguard that information and notify federal authorities and consumers following a breach.

Under the draft bill, the committee required companies to notify consumers and the FTC within 48 hours of a breach after doing a risk assessment. Democrats voiced concern that there was no time limit on this risk assessment and that it could be stretched out indefinitely. However, some industry officials said the 48-hour time frame was too short and could lead to an over-notification of consumers.

The latest version still requires that consumers and the FTC be notified within 48 hours but only if they are at risk for identify theft or fraud as a result of the breach. At any rate, notification must come within 45 days of the discovery of a breach.

Other changes made to the draft bill include providing more precise language for identifying individuals who are affected by a breach and in defining what constitutes a data breach, Bono Mack's spokesman Ken Johnson said.

"We've made a good faith effort to address their [Democrats] concerns," he said.

Democrats wanted other changes, too, such as a broader definition of personally identifiable information. The latest version does not appear to have addressed this issue. Energy and Commerce ranking member Henry Waxman, D-Calif., still has strong concerns with the measure, according to a House staffer.

Another House aide said Democrats may offer some amendments at the subcommittee markup but it's unclear what areas they would target.