The three bills passed by the committee are the Personal Data Privacy and Security Act (S. 1151) sponsored by Judiciary Chairman Patrick Leahy (D-Vt.), the Data Breach Notification Act (S. 1408) sponsored by Sen. Dianne Feinstein (D-Calif.), and the Personal Data Protection and Breach Accountability Act (S. 1535) sponsored by Sen. Richard Blumenthal (D-Conn.).
The bills have a number of similar provisions, such as requiring companies to take measures to secure personal information and notify consumers when their personal data has been breached.
Leahy said he found it “disappointing” that the committee’s Republicans voted along party lines on the data breach bills.
The committee’s ranking Republican, Sen. Chuck Grassley (R-Iowa), criticized the committee both on the content of the bills and its rush to pass them while a bipartisan group of senators is trying to draft compromise data breach legislation.
Grassley took S. 1408 to task for saddling small businesses with burdensome data breach notification requirements. “A small business, which over the years can easily acquire enough information to qualify under the bill, will have the same notification requirements as a large business. This means dealing with bureaucrats at the Federal Trade Commission, which will be a costly and timely affair”, he said in a statement.
Grassley also had misgivings about S. 1535, which he said would “desensitize consumers to threats of actual harm” and burden businesses through over-notification of data breaches. In addition, the enforcement and liability provisions of the bill are “troubling.”
“There’s a real danger that this bill could produce a lawsuit explosion against all businesses, big and small….This bill provides for enforcement actions to be prosecuted by (1) the Department of Justice, (2) State Attorneys General, and (3) individuals. All three of these groups could file lawsuits against the same business for the same conduct”, he warned.