Health records appear to be a big factor in why proposed data breach notification legislation has stalled, according to Roll Call.
The bill, sponsored by Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.), would set a national standard governing how companies must respond when hackers steal customer data. However, there has been an outcry over its provisions to preempt stricter state-level data breach laws.
During markup of the bill in the House Energy and Commerce Committee, Democrats revolted over the provisions. Welch himself eventually voted against the bill--which focuses exclusively on the theft of financial data that hackers could use to access consumers' bank accounts--after Republicans opposed expanding the definition of personal information in the bill to include health records, according to the article.
The bill says companies would have to have reasonable security measures against hackers in place, and it would require them to investigate hacks of their networks. If they find consumer financial data was stolen, placing customers at risk of fraud, they'd have to notify them within 30 days of stopping the breach.
Committee staff think they can reach an accommodation with Welch to include more protections for medical records, but other groups representing financial services, convenience stores and realtors have come out against the bill, according to the article.
Meanwhile, Rep. David Cicilline (D-R.I.) has introduced an alternative bill in the House considered a companion bill to the proposed Consumer Privacy Protection Act, according to The Hill. Cicilline's bill would not preempt stricter state-level data breach laws.
A group of Democratic Senators in May introduced the Consumer Privacy Protection Act of 2015, which requires companies to take preventative steps to defend against breaches and to quickly notify customers if a breach occurs. It would not override privacy state laws already in place.