Panel to vote on data privacy measure

The House Energy and Commerce Committee is slated to vote Wednesday on legislation that would require strong security policies from firms that collect and store individuals' sensitive information and provide for nationwide notification in the event of a data breach.

The bill was sponsored by House Energy and Commerce Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel's approval in June, but more revisions are expected.

His manager's amendment would let consumers ban the use of their information by data brokers for marketing purposes. That is in addition to language allowing individuals to access and correct profiles in marketing databases, according to a memo circulated to members. Breach victims could also sign up for credit monitoring or other related services instead of free credit reports.

Rush's proposal would clarify that persons subject to other relevant federal statutes' security rules that are "substantially similar to or greater than" his bill's requirements would be deemed in compliance.

It would also make clear that the legislation applies only to commercial entities subject to FTC jurisdiction, and that the civil penalty cap for state enforcement may not exceed $5 million for each violation.

Language concerning breaches of health information would be deleted from the bill, and a requirement that consumers receive a 60-day notice upon the discovery of a breach would be added, the memo stated.

Additionally, Rush's amendment would revise language pertaining to a breached firm's presumption of identity theft risk to be more technology neutral and remain current as encryption and other security technologies evolve.

The Energy and Commerce Committee also plans to take up legislation sponsored by Rep. Mary Bono Mack, R-Calif., that would regulate peer-to-peer programs and educate consumers about privacy and security risks associated with file-sharing. She plans to offer a manager's amendment to narrow the definition of a covered entity to avoid sweeping in legitimate technologies such as Web servers, e-mail and security software.

Proposed changes would also make clear that it is unlawful for a file-sharing firm to install or offer for installation a covered program unless it makes certain disclosures to the user. Furthermore, the amendment would give the FTC discretionary rulemaking authority and clarify that the federal government is exempt from the bill.

Despite the proposed alterations, "nothing in the [Bono Mack] bill as contemplated will mitigate the massive availability of sensitive information," Distributed Computing Industry Association CEO Martin Lafferty said. His group, which represents Lime Wire and other popular P2P services, favors a self-regulatory approach. "What we really need is more fact-based discussion and honest collaboration aimed at practical solutions," he said.