House Subcommittee Wants a Common Floor; Massachusetts Attorney General Warns Against a Low Ceiling

According to its sponsor, Michael Burgess (R-TX), the goal of the Data Security and Breach Notification Act of 2015 is “a single, federal standard on data security and breach notification.” The Act was approved by the House Subcommittee on Commerce, Manufacturing, and Trade, of which Rep. Burgess is Chair, on March 25, 2015. The Act would create federal standards for securing personal information, as well as for investigating and reporting breaches. The FTC would play the role of enforcer, though state attorneys general could also bring enforcement actions if they first notified the FTC and the FTC chose not to proceed first.

Massachusetts Attorney General Maura Healey on March 17, 2015 sent a letter to the Subcommittee blasting the proposed Act, calling it “an unnecessary retraction of existing protections for consumers at a time when such protections are imperative.” Healey argued that the Act would pre-empt state data security and breach laws related to data in electronic form, causing a “downward harmonization of security and breach standards and an associated drop in consumer confidence in the marketplace.” Healey offered several specific criticisms:

  • The Act does not explicitly define the minimum data security standards that would be considered the required “reasonable security measures and practices.”
  • The Act does not require notification of breaches to state attorneys general, and requires reporting to the FTC only if the breach is thought to affect 10,000 individuals or more, a threshold that Healey argues would exclude the vast majority of breaches.
  • The Act limits civil penalties to an overall cap of $2.5 million, and does not authorize state attorneys general to collect restitution for consumers.
  • The Act’s required notice to consumers provides too little information on how to protect themselves, and is vague about how quickly such notice must be provided.

Citing Healey’s concerns, Rep. Joseph Kennedy (D-MA) offered two amendments expressly to prevent the pre-emption of state data security requirements, both of which were defeated as the vote on the bill broke along party lines. While the prospects of the Act in its current form remain unclear—and state pre-emption is likely to receive attention in the wider House debate, as well as in the Senate—Healey’s criticisms underscore the MA Attorney General’s keen interest in data security and privacy, including strong enforcement.