A House subcommittee advanced legislation Wednesday aimed at preventing the kinds of massive hacks of personal information that have hit Target and Home Depot in recent years.
Although Congress has tried—and failed—several times to pass data-breach legislation, the issue appears to have a new boost of momentum this year. Consumers and businesses are increasingly anxious about hackers stealing sensitive data, and President Obama urged Congress to act during his State of the Union address this year.
But most of the Democrats on the House Commerce, Manufacturing, and Trade Subcommittee opposed the Data Security and Breach Notification Act on Wednesday, warning that it would undercut existing protections and ultimately leave consumers worse off.
The bill, sponsored by Republican Rep. Marsha Blackburn and Democratic Rep. Peter Welch, now heads to the full Energy and Commerce Committee for consideration. Senate Commerce Committee Chairman John Thune, a South Dakota Republican, has said he plans to pursue similar legislation.
"Finding a workable bipartisan compromise that can become law has been elusive," Subcommittee Chairman Michael Burgess, a Texas Republican, admitted. "But I believe that by focusing on how the criminals make their money, we can work together and achieve a workable solution for the millions of Americans impacted by identity theft and financial fraud."
The bill would require companies to alert customers when their personal information is stolen. That new national requirement would replace the current patchwork of 47 state data-breach notification laws, which businesses complain make for a compliance nightmare.
It would also explicitly give the Federal Trade Commission the power to require companies to have "reasonable" data-security protections. The FTC already claims to have that authority, but some companies are challenging the agency's interpretation in court. The bill would also grant the FTC the power to issue fines for violations.
But most of the subcommittee's Democrats warned that the legislation would scrap strong state laws in favor of a weak federal one. They tried to push amendments to allow the states to set stronger standards than the federal law, but the Republicans argued that would defeat the whole purpose of having a single compliance framework.
The Democrats also worried that the bill's definition of "personal information" is too narrow. It focuses only on financial data, like credit-card numbers and Social Security numbers, but doesn't cover other private information, such as email addresses, health information, or geolocation data.
And the Democrats criticized the bill for trimming the authority of the Federal Communications Commission over cable, satellite, and telephone providers. The FTC, they argued, is too weak a regulator for those services.
The subcommittee approved the bill on a voice vote, and the only Democrats who appeared to support it were Welch and Rep. Tony Cárdenas of California.
Welch, one of the lead authors of the bill, backed his fellow Democrats' amendments, but he urged them to be realistic about what's achievable in a GOP-controlled Congress.
"Consumers are getting hammered—Congress has to act," he said. "It's a long way from perfect, but it's a lot farther ahead than where we are."