April 14, 2015

Congress Turns to Cyber and Data Breach Legislation

Holland & Knight Privacy Blog
Christopher DeLacy

After five years of trying and failing, over the next several weeks Congress may finally make meaningful progress on cybersecurity and data breach legislation.  This week the House Energy & Commerce Committee and the House Homeland Security Committee are respectively marking-up data breach and cybersecurity bills, and floor consideration could take place soon thereafter along with a House Intelligence Committee cyber information sharing bill.  The Senate intends to consider cybersecurity information sharing legislation on the floor prior to Memorial Day, and data breach legislation may be considered as an amendment to the cyber bill on the floor.  Of course, many important details are yet to be negotiated, and the ability of Congress to move legislation recently has been anemic.  What makes the current situation potentially different is that these bills are bipartisan, and the White House is supportive as President Obama has urged Congress to act on cyber, data, and privacy issues for some time.   


The House Homeland Security Committee marked-up an information sharing bill today (April 14).  Previously, on March 26, 2015, the House Intelligence Committee reported out a cybersecurity information sharing bill, and on March 12, 2015, the Senate Intelligence Committee reported out the Cybersecurity Information Sharing Act of 2015 (CISA).  All three bills are expected to receive floor consideration over the next few weeks and could ultimately be considered in connection with data breach legislation—either on the floor or during conference committee negotiations. 

Data Breach Notification

The House Energy & Commerce Committee intends to mark-up a data breach bill at the full committee level tomorrow (April 15).  The Committee held a hearing on the discussion draft on March 18, 2015 and marked-up the bill at the subcommittee level on March 25, 2015.  The Committee also made revisions to the bill last week.  On a parallel track, the Senate Commerce Committee is pursuing its own bi-partisan data breach legislation.  Senate Commerce Committee Ranking Member Bill Nelson (D-FL) has already introduced a data breach bill and Commerce Committee Member Senator Roy Blunt (R-MO) and Homeland Security and Government Affairs Committee Ranking Member Tom Carper (D-DE) may reintroduce their Data Security Act of 2014 from last Congress.  While cybersecurity legislation currently has more momentum, it is possible that data breach legislation will be included in a final legislative package sent by Congress to President Obama. 


Unlike cybersecurity information sharing and data breach legislation, privacy legislation is not making meaningful progress so far this Congress.  On February 27, 2015, President Obama released his draft consumer privacy bill of rights.  Another key piece of the White House privacy agenda includes the Student Digital Privacy Act, which is modeled after the student privacy pledge.  Congressmen Luke Messer (R-IN) and Jared Polis (D-CO) and Senator Blumenthal (D-CT) are working with the White House on student privacy legislation.  Senator Menendez (D-NJ) introduced S. 547, which addresses commercial privacy and the Children’s Online Privacy Protection Act (COPPA), and Congressman Albio Sires (D-NJ) introduced H.R. 1053, which is the House companion bill.  Senator John Hoeven (R-ND) also introduced a bill last month regarding driver privacy.  And given the uneasiness in the privacy community regarding the various cybersecurity information sharing bills, it is likely that privacy amendments will be offered as these bills are considered on the House and Senate floors. 


The House may consider cybersecurity and data security bills on the floor as soon as the week of April 20th.  The Senate is likely to follow suit before Memorial Day.  The House is more likely to consider each piece of legislation separately on the floor, while the Senate may consider data breach and privacy amendments to the CISA bill.  Of course, another high profile data breach, cyber intrusion, or privacy scandal could speed up consideration of legislation already moving through Congress. 

Related Insights