The Senate Judiciary Committee approved three bills on Thursday aimed at setting national standards for security breaches involving personal data, but the party-line vote on the measures may complicate efforts to move them to the Senate floor.
The three measures are similar in that each would require companies to take reasonable steps to secure personal information about consumers and to notify consumers when their personal data has been stolen as a result of a security breach.
Senate Judiciary ranking member Chuck Grassley, R-Iowa, voiced similar concerns with all three bills, saying they would burden both big and small businesses and could lead to job losses at a time when policymakers are looking for ways to encourage job creation.
He went after one bill, offered by Sen. Dianne Feinstein, D-Calif., saying it could lead to companies burying customers in data-breach notices.
"Americans want and need the Congress to work with private businesses to create jobs," Grassley said. "However, under this bill, we may end up with more burdensome regulations, small businesses forced into bankruptcy, jobs lost, and consumers still going unprotected because the over-notifications will be ignored."
Grassley offered several amendments, including one that would set minimum sentences for hackers that was adopted by the panel. The committee rejected other Grassley amendments, including one that would limit the ability of state attorneys general to bring civil suits over a data breach and another that would require that any funds stolen and recovered as a result of a data breach go toward deficit reduction.
Grassley told National Journal after the markup that supporters will have a difficult time moving the bills to the Senate floor unless more changes are made.
Judiciary Chairman Patrick Leahy, D-Vt., authored the Personal Data Privacy and Security Act, the first bill adopted on Thursday.
A spokesman for Leahy pointed out that data breach legislation had enjoyed bipartisan backing, but now Republicans are opposing it. Grassley said the measures approved Thursday were more burdensome than the data breach bills approved by the committee in past years.
Feinstein said her bill is narrower and has a better shot of passing than the Leahy bill, which also includes legislation aimed at updating the Computer Fraud and Abuse Act. "I have tried to accommodate the other side and put out a bill that has a good chance of passage," she said.
The third data breach measure approved by the committee was authored by Sen. Richard Blumenthal, D-Conn. Grassley was particularly concerned that the definition of personal information included in Blumenthal's measure was too broad. He offered an amendment, which was rejected, that would have barred the Federal Trade Commission from expanding the definition.
Grassley and others said data-breach legislation may get wrapped up in cybersecurity legislation being negotiated by a bipartisan group of senators from several Senate committees. Grassley voiced frustration that Judiciary decided to act on the data-breach bills while efforts to craft a cybersecurity bill are still in play.
A committee spokeswoman said the panel brought up all three measures at the request of the senators who sponsored them, saying it is not unusual for the panel to approve different versions of the same bill. Leahy most likely will have to work with the other bills' authors on which version should be considered by the full Senate.
The Senate Commerce Committee had scheduled a markup of its own data-breach bill for this week but postponed it while Chairman Jay Rockefeller, D-W.Va., continues to work to bring some Republicans on board to support it, according to a Senate aide.