Regulators seek more authority in data breach bill

FTC officials fear draft House legislation might be too narrow to fix the problem.

Shutterstock image: secure data stream.

Federal regulators told lawmakers March 18 they want to see tougher provisions on rulemaking authority and protection of personal information added to data breach notification legislation before it becomes law.

Congress is feeling the heat to pass some form of data protection bill, in the wake of a seemingly endless streak of large-scale hacks of consumer information, most recently the cyberattack against Premera Blue Cross, which compromised information on 11 million customers.

"The reason it's important to do something now is that 2014 was dubbed the year of the breach," said Rep. Marsha Blackburn (R-Tenn.), a co-author of the draft measure and vice-chair of the House Energy and Commerce Committee.

The bill, which was recently released as a discussion draft, would set a national standard for companies to report data breach notifications within 30 days of the discovery of a hack, if there is a risk of financial harm or fraud to consumers. The draft defines personal information as Social Security numbers, as well as account credentials stored by covered commercial companies. The bill would preempt the patchwork of 47 state laws covering data breach notification, but would not intrude on the areas of health care and financial institution data covered by existing law.

"I think this bill is better for consumers than current law," said Jon Leibovitz, who was chairman of the Federal Trade Commission during President Barack Obama's first term and is now co-chairman of the 21st Century Privacy Coalition.

Blackburn and her co-sponsor, Rep. Peter Welch (D-Vt.), are taking a deliberately narrow approach with the legislation, to establish clear rules for the kind of retailer breaches that have compromised the information of hundreds of millions of consumer records nationwide.

"By targeting the most sought-after personal information, and the areas currently lacking federal protections, this bill avoids controversial issues that have derailed past efforts," said Rep. Fred Upton (R-Mich.), chairman of the House Energy and Commerce Committee.

Covering more data

But according to the FTC, this approach might be too narrow.

Jessica Rich, director of the Bureau of Consumer Protection at the FTC, said the categories of covered personal information need to be expanded to include identification numbers for state-issued drivers licenses, passports, and insurance policies -- all potential vectors for identity theft.

Additionally, categories of information such as precise geolocation data, health data, and data collected from Internet-enabled devices are of potential use to hackers, and should be included in the bill.

The FTC would also like to have rulemaking authority to craft rules of the road for data protection and breach notification, to respond to future threats that are not contemplated under the draft.

Another provision would take away authority of the Federal Communications Commission over telecommunications firms whose subscriber data and use information is disclosed, and move it to the FTC.

Clete Johnson, chief counsel for the FCC’s Public Safety and Homeland Security Bureau, worried that if the bill became law as written "the FTC would not have the authority to develop rules to protect the security of consumers' data or update requirements as new security threats emerge and technology evolves."

Even with the liberal Welch as a co-author, some Democrats on the panel oppose the draft, mostly because it would preempt the more stringent state breach notification and data protection laws. The bill has the backing of the Republican leaders on the committee, and appears poised to move, whether or not it is tweaked to bring along more Democrats.