Letter to the House Subcommittee on Commerce, Manufacturing, and Trade on the “SAFE Data Act”

Tuesday, July 19, 2011 - 8:00pm

The Honorable Mary Bono Mack
Chairman
Subcommittee on Commerce, Manufacturing, and Trade
Committee on Energy and Commerce
U.S. House of Representatives
Washington, DC 20515

The Honorable G.K. Butterfield
Ranking Member
Subcommittee on Commerce, Manufacturing, and Trade
Committee on Energy and Commerce
U.S. House of Representatives
Washington, DC 20515

Dear Chairman Bono Mack and Ranking Member Butterfield:

          The U.S. Chamber of Commerce, the world’s largest business federation representing the interests of more than three million businesses and organizations of every size, sector, and region, is concerned with several provisions H.R. 2577, the “Secure and Fortify Electronic Data Act” (“SAFE Data Act”).

          The Chamber appreciates the goal of this legislation. Protecting individuals’ sensitive personal information from theft or illegal uses has been and will continue to be a top priority for the business community. Enacting a uniform federal standard for data security and breach notifications could ease compliance and foster job creation.

          However, the Chamber believes that certain aspects of this legislation could impede the ability of businesses to expand and innovate. The Chamber urges the Subcommittee to address these shortcomings before the bill reaches the full Committee.

Fully and Completely Preempt All State Laws and Regulations that Deal with Data Security and Breach Notification Requirements

          The preemption this legislation would provide only applies to entities that are “subject to this Act,” meaning that certain types of entities would remain subject to data security and breach notification requirements at the state level. This lack of full preemption could create a confusing patchwork of requirements and enforcement regimes that could undermine the effectiveness of this legislation. Therefore, to ease regulatory and compliance requirements and to facilitate job creation and innovation, the Chamber urges the Subcommittee to establish a true national, uniform standard for data security and breach notification.

Eliminate or Limit Enforcement of the Act by State Attorneys General
 

          The Chamber is concerned that enabling state attorneys general to impose 50 different enforcement regimes would undermine the uniformity of this legislation, and make compliance exceedingly difficult. As a result, we urge you not to provide them such authority. At the very least, the bill should curtail the ability of state attorneys general to utilize contingency fee arrangements with private attorneys to enforce this Act or to litigate claims on behalf of their constituents.

Ensure that Entities are Fully and Completely Exempt from Duplicative Regulations
 

          The Chamber urges the Subcommittee to ensure that entities subject to other federal data security and breach notification requirements are exempted from the requirements of this legislation. The Chamber believes that allowing duplicative regulatory regimes would destroy the uniformity and certainty that the legislation is intended to create. Given the potential conflicts with having data covered by more than one federal law, a covered entity could very well find itself unable to comply with separate federal laws for the same covered information,
thereby unintentionally subjecting itself to fines and other enforcement actions for noncompliance.

Clarify Liability Provisions

          The Chamber is concerned about the application of a daily fine as it relates to the bill’s security requirements. Specifically, the Chamber recommends that minor technical violations should not be result in either civil penalties or liabilities. Also, the Chamber urges the Subcommittee to clarify several confusing provisions. If an entity is found liable for violating the data minimization requirement, is every day that the entity maintains records that should have been destroyed throughout all of their databases a multiplier penalty? If so, companies could be potentially in permanent violation. How would settlement agreements affect the  maximum total liability cap? How would state AG enforcement impact the cap? Additionally, the potential of $5,000,000 in penalties per violation seems disproportionate and would place an excessive financial burden on business, especially small businesses; therefore, the Chamber urges the Subcommittee to lower the cap to a much more reasonable amount.

Permit Greater Flexibility on Timing of Breach Notification

           The Chamber agrees that consumers should be notified in a timely manner after the occurrence of a reportable data breach. However, given the complexities of dealing with a data breach, the Chamber recommends that Section 3(a)(4) of the bill be modified by replacing “not later than 48 hours” with text permitting greater flexibility (e.g., “as promptly as possible” or “without unreasonable delay”).

Eliminate the Data Minimization Requirements

          The Chamber is concerned that the data minimization requirements established in Section 2(b) are very subjective, and could impose liability on companies for retaining data that they believe will be beneficial. Rather than risk liability, companies may self-censor. By taking such action, these companies may fail to realize the full, legitimate benefits of their data. Innovation and economic activity could suffer.

Remove the FTC’s Ability to Modify the Definition of Personally Identifiable Information (PII)

          While the Chamber appreciates the limitations placed on the FTC’s ability to modify the definition of PII, we believe that the FTC’s ability to modify the definition through their current rulemaking authority is sufficient. Providing the FTC with additional rulemaking authority in this case would create regulatory uncertainty and harm business’ ability to innovate.

          Thank you for taking our concerns into consideration. The Chamber looks forward to continued discussions with you, your committee colleagues, and your staff on this very important
topic.

Sincerely,

R. Bruce Josten

Cc: Members of the Subcommittee on Commerce, Manufacturing, and Trade