Dear Chairman Burgess and Ranking Member Schakowsky:
The U.S. Chamber of Commerce, the world’s largest business federation representing the interests of more than three million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations, and dedicated to promoting, protecting, and defending America’s free enterprise system, would like to summarize our views generally on data breach and suggest several ways to improve the “Data Security and Breach Notification Act of 2015” being marked up today in your Subcommittee.
Position on Federal Data Breach Legislation
The Chamber supports enactment of a truly uniform national data breach notification law. Protecting individuals’ sensitive personal information from theft or illegal uses has been and will continue to be a top priority for the business community. Federal data breach notification legislation would help businesses by reducing the complexity associated with complying with 47 state data breach laws. The Chamber urges you to be mindful that any such legislation, to be workable and effective, must recognize that both consumers and U.S. businesses are victims of crimes that give rise to a data breach and should be technology-neutral.
The Chamber supports a true national, uniform standard for data breach notification. A weak or poorly drafted preemption provision would accomplish little other than adding a new federal law to the state statutes and common laws already in effect, resulting in a confusing patchwork of requirements and enforcement regimes that would undermine the purpose and effectiveness of this legislation.
Therefore, the Chamber strongly supports the intent of Section 6 to preempt state breach laws. However, we strongly oppose the inclusion of the bracketed language under consideration (Section 6(b)) that would specifically maintain a covered entity’s liability under common law. Based on prior federal court decisions, it is clear that this type of provision jeopardizes the legal sustainability of an otherwise effective preemption clause. In the worst-case scenario, covered entities would have to comply with the Act and the 47 existing state statutes. Moreover, by allowing class actions based on state common law, the inclusion of the bracketed language would allow the trial bar to circumvent Section 4(c)’s prohibition on private rights of action for violations of this Act.
The Chamber is strongly concerned about Section 4(a)(1)’s straight-to-fines civil penalty authority. Companies are unable to obtain guidance from the FTC to ensure that they are in compliance with what the agency considers to be reasonable security practices. Yet, under this provision, the FTC can immediately impose civil penalties even though companies may not be aware they are out of compliance until the penalty is levied. Currently, under Section 5 of the FTC Act, the agency must issue a cease-and-desist order before being permitted to impose a fine for a violation of the Act.
To pursue violations of the consumer protections delineated in Section (1)(b), the FTC should be required to prove “substantial consumer harm.”
The legislation should curtail the ability of state attorneys general to utilize contingency fee arrangements with private attorneys to enforce the Act or to litigate claims on behalf of their constituents.
Given the complexity and expense of responding to a data breach, the Chamber cautions that a flawed liability provision would further penalize an entity that is a victim of data breach by drawing away valuable resources necessary to fix the breach, notify customers, and augment existing security measures. Providing state attorneys general with the ability to impose penalties of up to $2,500,000 seems disproportionate and would place an excessive financial burden on business, especially small businesses; therefore, the Chamber urges you to lower the cap to a much more reasonable amount. However, even more distressing is that the draft bill does not impose any cap on the penalties that can be imposed by the FTC.
The Chamber recommends deleting Section (5)(8)(A)(i)(II)(aa) because this information often is widely available. For example, it is our understanding that voter registration information given to campaign volunteers often contains data that would trigger this section.
In Section 5(8)(A)(iii), the Chamber seeks to ensure that “electronic identification numbers” excludes dynamic IP addresses. In the same section, the Chamber also recommends striking “any other thing of value” for vagueness.
The Chamber supports the public records exception in Section 5(8)(B)(ii), however we recommend the term “obtainable” rather than “obtained.”
Given the FTC’s expansive and vague interpretation of “reasonableness” in various data security suits brought by the agency, the Chamber recommends consideration of ways to further guide the FTC’s efforts in this area.
Notification of Information Security Breach
For greater clarity, the Chamber recommends adding “by a covered entity” after “discovery” in Section 3(a)(1). Additionally, notice should be tied solely to unauthorized acquisition, not access.
The Chamber looks forward to working with you and your colleagues as this legislation proceeds through the legislative process.