In an initial hearing to discuss a proposed national data-breach notification bill on Wednesday, representatives and witnesses dissected the SAFE Data Act proposed by Rep. Mary Bono Mack and said that the legislation had a long way to go to be ready for prime time.
The hearing, which is just the first step in a very long, arduous process, was mainly a discussion among the members of the House Commerce, Manufacturing and Trade Subcommittee about the various components of the legislation, with many of the committee members saying they had serious concerns about the vagueness of some of the sections. Specifically, the proposed bill’s requirement that an organization that has been the victim of a breach conduct a risk assessment of the incident and then notify both the Federal Trade Commission and its customers within 48 hours of the assessment’s conclusion.
However, the SAFE Data Act doesn’t specify any time frame for the completion of the risk assessment. Theoretically, it could be dragged out indefinitely, which worried some of the committee members, as well as the witnesses.
“The notification needs to be provided as soon as is practicable. My first concern is the bill requires a risk assessment and then a report to consumers within 48 hours, but there’s no deadline to complete the risk assessment,” FTC Commissioner Edith Rodriguez said during her testimony. “That could place consumers at significant risk. There’s also no time limit on connecting with law enforcement. There ought to be some form of cutoff period to ensure that consumers receive appropriate notification.”
The SAFE Data Act, which Bono Mack (R-Calif.) is circulating in discussion draft form right now, would place extra breach-notification requirements on companies and other organizations that are attacked and lose customer data. It also would make the FTC the center of the notification process.
During the hearing, a few of the committee members voiced concerns about other parts of the draft bill, as well, including a provision that would exempt already public information from disclosure. Representatives worried that there was no definition of what constitutes public information and that it could allow data aggregators to avoid having to notify customers of breaches.
“A federal standard is important and the SAFE bill is a start, but it gives the green light to data aggregators to continue with business as usual,” said Rep. G.K. Butterfield (D-N.C.). “If you’re a criminal looking to do harm to a lot of people in one swoop, the Republican draft would be a boon to you.”
The FTC’s Rodriguez also said that she’d like to see a better definition of what constitutes personally identifiable information.
“I have issues with the definition of personally identifiable information. It’s too narrow,” she said. “I believe the provision focuses solely on financial information and doesn’t take into account other data like health information that isn’t covered by HIPAA.”
Bono Mack has yet to formally introduce the bill in the House, and it’s not clear when she will do so.
