House Panel Heads Into Data Breach

WASHINGTON — While Republican legislators have been decrying threatened federal pre-emption of state laws on municipal broadband (see Rules), they were all for pre-emption of state laws on data security and notification.

The House Commerce, Manufacturing and Trade Subcommittee held its first hearing of the new Congress on how to deal with data breaches and informing consumers affected by them.

Both Republicans and Democrats agreed some legislative action is needed to help companies deal with the ongoing threat. And lawmakers talked a lot about finding bipartisan common ground. But the same fault lines appeared between Democrats and Republicans, industry — and, in this case, a lone academic — over how to achieve it.

The Republicans on the panel, joined by industry witnesses, argued for strong pre-emption of the 47 different state laws on security and breaches, saying those laws were necessary to provide companies with a standard to meet. President Obama urged the passage of such legislation in his State of the Union address, and both sides of the aisle on the committee pledged to work with the White House.

Rep. Michael Burgess (R-Tex.), the new chairman of the subcommittee, pushed for a single federal standard, saying the state benchmarks are expensive to comply with, confusing for businesses and change frequently.

Rep. Frank Pallone (D-N.J.), ranking member of the parent Energy & Commerce Committee, warned against pre-empting strong state data-security laws — Massachusetts’s and California’s, for example — in favor of a weak national standard.

That was just one example of the differences that still could divide the committee, its desire for bipartisanship notwithstanding. Another is what should trigger a notification: only breaches that can be determined to threaten immediate harm or all such incidents.

The hearing was held as the Federal Trade Commission released a staff report calling for passage of data breach and security legislation (see below).

All parties agreed that some kind of legislation was needed, but the devil still looked to be in the details, with Democrats leaning away from broad pre-emption and an actual harm standard, and Republicans leaning toward them.

In the Senate, Commerce Committee chairman John Thune (R-S.D.) promised that his committee “will seek to tackle the data breach notification issues that have hamstrung Congress for far too long.”

FTC: Minimize IoT Data Collections

WASHINGTON — The Federal Trade Commission last week issued a report on the Internet of Things (IoT) that recommends companies minimize the data they collect and the time frame in which they retain it.

The regulator said it agrees with “many stakeholders” that any specific legislation on privacy and security would be premature, but it called for broad legislation in those areas. The report recommends a number of steps businesses can take to protect information in a world of interconnected devices — some 25 billion of them, according to the agency.

In terms of data minimization, the reports says companies can choose from collecting no data, limiting data collection to what is essential for the service offered by the device, collecting less-sensitive data or anonymizing the data collected.

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.