On April 15, the House Energy and Commerce Committee approved the Data Security and Breach Notification Act by a 29-20 vote. The bill, H.R. 1770: The Data Security and Breach Notification Act of 2015, was initially backed by Rep. Peter Welch (D-VT) and Rep. Marsha Blackburn (R-TN) but passed along party lines.
The legislation would require companies to maintain “reasonable security measures and practices” to protect consumer data, and to disclose breaches when there is a risk of consumer harm. The notification would be required to take place within 30 days of when a company determines the scope of a breach and restores its systems.
Of significance is that the legislation will “expressly preempt any related State laws to ensure uniformity of this Act’s standards and the consistency of their application across jurisdictions.” This is important because nearly every state has its own law on when consumers must be told that their data has been stolen in a cyber breach, but no single national standard exists that covers all intrusions. Many companies believe that the individual state notification standard is unwieldy to navigate in the event of a data breach.
The Blackburn-Welch bill is one of two data breach measures that could get a floor vote as early as this week.
You can follow the Consumer Financial Services Law Monitor for continued updates on this and other news stories.