The legislative path on consumer data security and breach notification remains unclear but a few things came into sharper focus this week as lawmakers began related efforts on privacy, the hottest digital topic on Capitol Hill in 2019.
In the House, the Energy and Commerce Committee is expected to move first in the larger debate on data privacy, and will try to fold in the perpetually intractable issue of breach notification. The House Financial Services Committee, which has produced competing breach-notice bills in recent years, appears ready to hang back and work on other priorities while Energy and Commerce gets the process rolling.
About this feature:
This story is the latest of a new feature, “Cyber Congress,” which provides easy access to our complete coverage of the 116th Congress with a weekly analysis and email alert every Thursday on what matters most and why.
In the upper chamber, a bipartisan group of senators is advancing on privacy -- and at least one key GOP committee chairman wants to address that issue separately from breach notification.
Breach notification came up for discussion during hearings this week on privacy by a House Energy and Commerce subcommittee and the Senate Commerce Committee, and during a hearing on consumer credit rating agencies like Equifax in the House Financial Services Committee.
Amid the political and policy complexity, sources from various industries say the chances of advancing a national data security and breach-notification standard are better than they have been at any time in the last decade. They are all eager to see legislative text -- on privacy and breach-notice -- which is still in the works on the Hill.
“There's no question they will make more progress this year than they have in the past,” said one attorney who has tracked the breach-notice issue for an industry group for many years. “It's hard to predict they'll get it across the finish line … but they have one of the best chances to come together on a difficult issue.”
The looming Jan. 1, 2020 implementation date for California's landmark digital privacy law “creates an imperative” for congressional action on that issue, the source said, adding lawmakers probably have the first half of 2020 to actually finish a bill before the 116th Congress' legislative work comes to a halt because of the elections. Other sources cautioned that the window of opportunity may be shorter than that.
But this attorney explained, “The [breach-notice] issue will be further shaped this year even if it doesn't get passed yet. The big engine is privacy. A lot of groups are desperate to pre-empt California's privacy law. Can data breach hitch a ride? There's a lot of sentiment to do so among industry groups.”
However, Senate Commerce Chairman Roger Wicker (R-MS) seems ready to take another tack, repeatedly stressing his belief that adding data breach would only complicate the already enormous task of passing a privacy law.
“The must-pass bill, to me, is privacy,” Wicker told reporters following his hearing. But he acknowledged, “Strong protection seems to have support on both sides.”
For instance, Sen. Tammy Baldwin (D-WI) said her constituents are “just as outraged” by the unauthorized uses of data seen in Facebook's Cambridge Analytica leak as they are by the exposure of their personal data in the Equifax hack, and said the public isn't making a distinction between these two scenarios.
“House Energy and Commerce and Senate Commerce will come up with two very different bills on privacy,” noted one source close to an industry group. This source and others in the business community expressed flexibility on whether privacy and breach-notice are best addressed together or separately.
“There should be one strong data security and breach-notification standard, and if that dovetails with the privacy effort, we say that's great,” the industry source said.
A source from another industry added “it's tough to tell which way is best,” saying, “If there's a way to thread the needle and do both, across the board, that would be amazing, it would be awesome.”
House Democrats see the two issues as a natural fit, with one adding momentum for the other.
Energy and Commerce Chairman Frank Pallone (D-NJ) linked the issues in his memorandum on this week's privacy hearing in one of his subcommittees.
“Consumers’ privacy concerns have increased over the past several months due to a series of high-profile incidents, including the Cambridge Analytica/Facebook data leak; two bugs in Google+ that allowed third-party app developers to access millions of users’ personal information; and an Amazon Alexa that shared a recording of a couple’s conversation without permission.,” Pallone wrote. “Further, data breaches of sensitive information continue at an alarming pace. According to the Privacy Rights Clearinghouse, more than 11 billion records containing sensitive personal information have been involved in security breaches since January 2005.”
Pallone has been the most vocal new House Democratic chairman on breach notice and privacy, which suggests his panel will move first and leaves unclear if and when the Financial Services Committee may get at the data-breach issue.
The two panels have taken rival approaches in the past, but multiple sources observed that Pallone and Financial Services Chairwoman Maxine Waters (D-CA) have a strong history of working together and might have an easier time cooperating than their Republican predecessors did on the issue.
“The fact that Energy and Commerce jumped in on privacy probably means they go first on breach notification and Waters focuses on her other priorities,” the attorney said. Waters recently released a packed agenda for Financial Services in March that didn't include privacy or breach notification.
The first industry source said privacy and breach-notice have risen as priorities for lawmakers of both parties, but observed that the difficulties involved in passing complex legislation affecting many industries are still there.
“The California privacy law and [the European Union's] General Data Protection Regulation are changing the narrative -- the new legislative and policy reality is that California could be the floor [on privacy],” the source said. “But I still don't see a multi-industry scoping framework on privacy that's as strong as California's passing before 2020.” -- Charlie Mitchell (cmitchell@iwpnews.com)