recommended reading

Panel approves data-breach bills despite partisan rancor

The Senate Judiciary Committee approved three bills on Thursday aimed at setting national standards for security breaches involving personal data, but the party-line vote on the measures may complicate efforts to move them to the Senate floor.

The three measures are similar in that each would require companies to take reasonable steps to secure personal information about consumers and to notify consumers when their personal data has been stolen as a result of a security breach.

Senate Judiciary ranking member Chuck Grassley, R-Iowa, voiced similar concerns with all three bills, saying they would burden both big and small businesses and could lead to job losses at a time when policymakers are looking for ways to encourage job creation.

He went after one bill, offered by Sen. Dianne Feinstein, D-Calif., saying it could lead to companies burying customers in data-breach notices.

"Americans want and need the Congress to work with private businesses to create jobs," Grassley said. "However, under this bill, we may end up with more burdensome regulations, small businesses forced into bankruptcy, jobs lost, and consumers still going unprotected because the over-notifications will be ignored."

Grassley offered several amendments, including one that would set minimum sentences for hackers that was adopted by the panel. The committee rejected other Grassley amendments, including one that would limit the ability of state attorneys general to bring civil suits over a data breach and another that would require that any funds stolen and recovered as a result of a data breach go toward deficit reduction.

Grassley told National Journal after the markup that supporters will have a difficult time moving the bills to the Senate floor unless more changes are made.

Judiciary Chairman Patrick Leahy, D-Vt., authored the Personal Data Privacy and Security Act, the first bill adopted on Thursday.

A spokesman for Leahy pointed out that data breach legislation had enjoyed bipartisan backing, but now Republicans are opposing it. Grassley said the measures approved Thursday were more burdensome than the data breach bills approved by the committee in past years.

Feinstein said her bill is narrower and has a better shot of passing than the Leahy bill, which also includes legislation aimed at updating the Computer Fraud and Abuse Act. "I have tried to accommodate the other side and put out a bill that has a good chance of passage," she said.

The third data breach measure approved by the committee was authored by Sen. Richard Blumenthal, D-Conn. Grassley was particularly concerned that the definition of personal information included in Blumenthal's measure was too broad. He offered an amendment, which was rejected, that would have barred the Federal Trade Commission from expanding the definition.

Grassley and others said data-breach legislation may get wrapped up in cybersecurity legislation being negotiated by a bipartisan group of senators from several Senate committees. Grassley voiced frustration that Judiciary decided to act on the data-breach bills while efforts to craft a cybersecurity bill are still in play.

A committee spokeswoman said the panel brought up all three measures at the request of the senators who sponsored them, saying it is not unusual for the panel to approve different versions of the same bill. Leahy most likely will have to work with the other bills' authors on which version should be considered by the full Senate.

The Senate Commerce Committee had scheduled a markup of its own data-breach bill for this week but postponed it while Chairman Jay Rockefeller, D-W.Va., continues to work to bring some Republicans on board to support it, according to a Senate aide.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.