House Commerce Passes 'Partisan' Bill, but Bachus Seeks Consensus

Citing a lack of consensus over data privacy legislation, the chairman of a key House Financial Services subcommittee said he did not expect to begin marking up any bills until January or February. The move was in contrast to action by the House Energy and Commerce Committee, which had rushed through a controversial bill just days earlier after a party-line vote.

At a November 9 hearing, Representative Spencer Bachus (R-Alabama), chairman of the House Financial Services Subcommittee on Financial Institutions, said he favored a "go-slow" approach after learning that such senior Democrats and Independents as Ranking Member Barney Frank (D-Massachusetts) and Representative Bernie Sanders (I-Vermont), as well as 48 state Attorneys General and 13 consumer-privacy groups, were strongly opposed to HR 3997, the main bill being considered by the panel.

The measure, which was portrayed as bipartisan, was sponsored by Ohio Republicans Steven LaTourette and Deborah Pryce and Democrats Darlene Hooley of Oregon and Dennis Moore of Kansas.

In 2003, Hooley and Moore were key players in forging a bipartisan movement that led to enactment of amendments to the Fair Credit Reporting Act known as the FACT Act. Bachus was the lead House subcommittee chairman for the FACT Act debate in 2003. HR 3997 was generally endorsed by industry, led by the Financial Services Coordinating Council, the American Financial Services Association, and the U.S. Chamber of Commerce.

But Representatives Frank and Sanders, along with Julie Brill, Vermont's Assistant Attorney General, and the consumer-privacy groups, charged that HR 3997 would water down breach notification standards established by legislation in some 22 states and would broadly preempt other state laws, possibly including 12 statutes that permit consumers to "freeze" disclosure of their credit reports. Brill said such a move would amount to reneging on a vow by Congress to leave the states free to act in these areas, as expressed in the 2003 FACT Act and the 1999 Gramm-Leach-Bliley Act (GLB). The opponents of HR 3997 charged, moreover, that the proposed legislation had the potential to weaken GLB's data security safeguards.

On November 3, Republicans on a House Energy and Commerce subcommittee won a 13-8 vote in favor of a national breach notification bill. The measure would require information brokers to submit plans for safeguarding private data to the Federal Trade Commission for monitoring and review. Data brokers, direct marketers, financial institutions, and several large technology companies supported the approach taken by the bill, as did FTC Chairman Deborah P. Majoras. They argued that thieves or hackers cannot always use data they might gain access to, and that bombarding consumers with notices every time a breach occurs would cause people to ignore them.

Representative Janice D. Schakowsky (D-Illinois) called the latter argument disingenuous, adding that many consumers might not even have received notice of some of this year's major breaches under the notification standard that would be set by HR 3997.

The proposed measure would mandate that data brokers and other firms that store consumer data would have to notify consumers that their information had been breached only after a determination that a "significant risk" of identity theft or other fraud might result. Significantly, that decision would be made by the company that had experienced the breach, which Democrats said was tantamount to having no notification requirement at all.

Democrats also criticized the removal by Republicans of a provision in an earlier version of the bill that would have granted consumers rights of access to and correction of information about them held by brokers. Also cited as a flaw by Democrats was the fact that the bill would prevent state attorneys general from enforcing it, instead putting the entire burden of enforcement on the FTC. The bill would allocate $1 million annually to the FTC for enforcement of its provisions.

Representative Cliff Stearns (R-Florida), chairman of the subcommittee and the bill's chief sponsor, said the provision was removed because it should more properly be considered as part of a privacy bill to be taken up early next year. A spokesman for Representative Joe Barton (R-Texas), chairman of the full Energy and Commerce Committee, said negotiations broke down when Democrats reversed field on the "core concept" of the bill, according to a Washington Post report. Barton said there is still time for compromise before the bill passes through the full Energy and Commerce Committee, but added that he wants the bill passed by the House this year. There has been no consensus on a Senate version of the bill.

At the House hearing, Representative Frank lampooned industry's professed concern about sending consumers too many notices. "The financial industry for years has loaded up my mailbox with all sorts of stuff. Now they say the one notice they don't want me to get is the one telling me that my information has been compromised?"

LaTourette, the bill's chief sponsor, took the criticism in stride, but said no one liked hearing that "your child is ugly."

Brill countered that the "child wasn't ugly," but "was failing in class and greatly in need of remedial help."

Evan Hendricks, editor and publisher of Privacy Times, pointed to this year's unprecedented string of privacy-jeopardizing security breaches, and to opinion polls showing overwhelming public support for stronger action. He decried the absence in HR 3997 of provisions extending FCRA-styled rights to information brokers. Thirteen consumer and privacy organizations signed on to Hendricks' testimony.

As a "ship of state," privacy was under constant challenge, Hendricks said. Echoing other critics' concerns over HR 3997, he added, "We don't want to pass a bill that could be characterized as the 'Titanic Deck Chair Reorganization Act.'"