The bill, the Secure and Fortify Electronic (SAFE) Data Act (HR 2577), would establish uniform national standards for data breach notification.
The bill would give the Federal Trade Commission (FTC) authority to levy civil penalties if companies or entities fail to respond to a data breach within 48 hours of determining the extent of the data breach and the identities of individuals affected.
Responding to passage of the bill by the House subcommittee on commerce, manufacturing, and trade, Bono-Mack said: “With cyber attacks clearly on the rise, something needs to be done immediately. In April of this year alone, some 30 data breaches at hospitals, insurance companies, universities, banks, airlines and governmental agencies impacted nearly 100 million records. And that’s in addition to the massive breaches at Sony, Epsilon and Citigroup.”
Not everyone, however, is thrilled with the national data breach notification bill. Rep. Henry Waxman (D-Calif.), who is the ranking Democrat on the full committee, said he is “disappointed” that the bill “is not the result of a bipartisan effort.”
Waxman particularly objected to the definition of "personally identifiable information" covered by the act. “Under the current version of the bill, most personal information stored online or in company databases is not protected. There is no protection for personal e-mails; no protection for personal photographs and videos stored on-line; no protection for records of book, video, and other consumer purchases; no protection for records of purchases of over-the-counter drugs, including pregnancy tests; no protection for payroll records.”
Waxman concluded: “This bill is not balanced. It preempts strong state laws and replaces them with a weak federal one. It threatens the FTC’s existing authorities. And it is filled with loopholes.”