A key House member is continuing the push for action on data-security and breach notification legislation, but as the congressional calendar slips away, some sources say this year's work can be viewed positively -- but more realistically -- as an incremental step in the long-running campaign to craft a uniform federal standard.
“The Financial Services Committee is primed to act,” a source close to financial institutions and consumer credit subcommittee Chairman Blaine Luetkemeyer (R-MO) said last week, while cautioning that there is no timing yet for moving the lawmaker's draft bill on the topic as Congress returns from recess this week.
At the same time, House Energy and Commerce digital commerce and consumer protection subcommittee Chairman Bob Latta (R-OH) has led a series of deep-dive “listening sessions” with business, state and consumer groups.
Latta held a session with representatives from 30-plus groups just prior to the Memorial Day recess.
“It's fair to say there were differences of opinion,” said one industry source. For instance, the source said, a representative of Realtors argued that whatever party suffers the breach should do the public notification, while tech and telecom representatives countered that the “consumer-facing business” should do so.
“There was a lot of back-and-forth, but it's going to be hard to find consensus,” the source said.
Latta may hold another session in the coming weeks, possibly on what constitutes “sensitive” information that would trigger breach-reporting requirements, the source said.
The calendar
Congressional breach-notice efforts -- in the Financial Services and Energy and Commerce panels, as well as among individual lawmakers in the House and Senate -- were revived after the hack at consumer credit rating agency Equifax was revealed in September 2017. Industry groups and lawmakers from both parties detected a moment in which data-breach legislation might receive a critical boost, after more than a decade of start-and-stop attention in Congress.
Now, Congress is back for a four-week legislative stretch -- followed by three weeks in July prior to the planned month-long August break -- and the realities of the calendar are coming into focus. After the August recess, lawmakers are expected to be in session for only a few weeks before breaking for the midterm elections.
The Senate may abbreviate or cancel the summer recess, but House leaders haven't suggested such a move. And data-breach legislation is a House issue right now; senators who are interested in the issue have made clear they won't do anything until they see a bill -- preferably a widely supported bill -- emerge from the House.
Earlier this year, amid consumer outrage over Equifax, House GOP leaders instructed Energy and Commerce and Financial Services leaders to resolve their longstanding differences over breach notice and produce a bill.
It's unclear whether moving a bill is still a priority for a House leadership unsettled by Speaker Paul Ryan's (R-WI) retirement plans and facing a difficult midterm election in November. GOP leaders have rarely publicly broached the subject.
“Equifax gave the issue a lift this year, but the reality is this takes a lot of difficult work and it would affect everybody -- the legislation would regulate everybody,” said one industry attorney closely tracking the issue. “There is still a lot more work to do.”
The legislative state of play
Luetkemeyer and senior Financial Services member Carolyn Maloney (D-NY) have drafted a measure that includes security requirements and “immediate” consumer notification of breaches, combined with pre-emption of state breach-notice laws and a variety of exemptions that are controversial with consumer groups and with industries that don't get an exemption. All 50 states currently have some sort of breach-notification law.
The House draft language is still subject to “clarifying, tweaking and technical changes,” the source close to Luetkemeyer said. The legislation, when it gets the green light, is expected to be marked up at full-committee level, sources have said.
“There is no clear timeline but he is committed to moving a product,” the source close to Luetkemeyer said. “That could be a week or a month, but he's looking for an opening.”
It's still unclear whether Latta and Energy and Commerce Chairman Greg Walden (R-OR) intend to produce their own bill, but the source close to Luetkemeyer said discussions between the two panels' leaders are “absolutely ongoing.” This source suggested Luetkemeyer's bill, once passed by Financial Services, would go to the Energy and Commerce and other committees for review and modifications.
“The big issues are still out there,” the source said, “but I think it's fair to say that differences [between committees as well as some of those between industries] have been narrowed.”
The source said, “The committees are certainly talking and the desire is to collaborate.”
“Who has responsibility for notification and security has been the central issue for decades, and the biggest issues are still between the financial and retail sectors,” the source said. But the source added that the Luetkemeyer draft “is the most consumer-forward legislation we've seen on this,” while saying the language on third-party responsibilities “is more aggressive than most state standards.”
This source pointed to dynamics that could still propel action this year, including an initiative on the California ballot in November “that would impose drastically stronger reporting requirements” based on the European Union's new General Data Protection Regulation.
Likewise, the breach-notice rules in the GDPR should motivate U.S. policymakers to set a standard designed for this country, the source said. And, the source added, the November elections could produce a Democratic congressional majority that might not be as business-friendly as Luetkemeyer is on the issue.
But the industry attorney -- whose clients do not favor the draft Luetkemeyer language -- said “the reality is it's not going to get done this year, so dive in as deeply as possible and really think through the issues and get everyone to put their cards on the table.”
“There is a need for a process like Energy and Commerce is having,” this source said. “Some people would be OK with just having state laws on this, but a lot of folks won't be. This is a good discussion and a good starting point,” the source said of the Energy and Commerce process. -- Charlie Mitchell (cmitchell@iwpnews.com)