Senate Committee on the Judiciary Committee
Executive Business Meeting
Thursday, September 15, 2011
Mr. Chairman,
We will be able to work on S.1151, the Personal Data Privacy and Security Act and S.1408, the Data Breach Notification Act.
Both of these bills will have a major impact on the way private sector businesses operate. I’m concerned that given over 9 percent unemployment and a renewed focus in Washington on creating jobs, this legislation may have the opposite effect.
While we’ve focused on protecting information, we’ve not focused on protecting jobs. This bill will likely drive up costs through even more burdensome regulations. A company that hasn’t even suffered a breach may find itself unable to afford compliance with this bill’s new requirements. Small businesses, which create most of the jobs in this country, may end up closing, or at least not hiring, when they’ve done nothing wrong. We need to be smart with new regulatory burdens to ensure that consumers are truly protected, while fostering economic growth and not stifling it.
To address these concerns, there are a number of amendments filed to both bills, including several that I have filed. My amendments to S.1151 impact both the criminal and data breach portions of the bill.
Before discussing the bills, I want to reiterate a concern I raised last week regarding the Committee’s approach to Cybersecurity legislation. Specifically, both Majority Leader Reid and Minority Leader McConnell have committed to a working group approach to deal with cybersecurity legislation. The approach is designed to allow the various committees with overlapping or concurrent jurisdiction to work together and develop bi-partisan cybersecurity legislation.
So far, the working group approach has worked, with various committees agreeing to meet and discuss issues. However, in staffdiscussions with other committees, like Commerce, there was some surprise that the Judiciary Committee was already marking up cybersecurity and data breach legislation, since we’ve all agreed to take part in the working groups.
I just want to say that while I respect this committee’s jurisdiction to discuss these matters, I—like Majority Leader Reid and Minority Leader McConnell—want a comprehensive bipartisan cybersecurity bill. I’m concerned that by marking-up this bill that touches on areas that may overlap with other committees, we could hinder the working group approach.
That said, on the criminal side of this bill, I have two amendments I intend to offer. The first was circulated last week and involves the mandatory minimum sentence for violations of aggravated damage to a critical infrastructure computer. This 3-year mandatory minimum penalty was requested by the White House as part of President Obama’s cybersecurity proposal.
Second, I circulated a new amendment this week and am pleased to have Senator Franken as a cosponsor. This amendment would modify the Computer Fraud and Abuse Act to address concerns raised by two recent criminal prosecutions brought by the Justice Department.
I think many Americans would be shocked to hear that every day, they may be violating federal criminal law without knowing it, simply by violating website service agreements or employee computer access agreements.
The Grassley-Franken amendment we’ll be offering today simply clarifies that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of internet terms of service agreements or non-government employment agreements restricting computer access. It’s a common sense amendment that helps clean up some of the expansive provisions of our criminal code.
I also have amendments to the data breach portions of S.1151. We must protect the personal and financial information of individuals collected in company databases. I stated last week that solving this problem is something everyone supports. However, determining how to do this in a way that balances the interests of both consumers and businesses makes for a difficult task.
We must work to not overburden small and large businesses with new, costly regulations. Notice requirements must be constructive. Notice should not include burdensome requirements where there is little or no risk of identity theft.
The enforcement and liability provisions shouldn’t create the potential for abuse from overzealous prosecution. The provisions in this bill run the risk of abuse and inconsistent enforcement. These and other issues need to be resolved.
Today, the bill we consider has in some ways improved over previous versions. However, it has expanded in other areas and this gives me concern.
I am pleased to see that the manager’s amendment has removed the Federal Trade Commission’s authority to modify the definition of sensitive personal information. However, problems still remain.
A broad definition will impact small businesses, which are subject to the same strict liability requirements and high penalties as large businesses, but without the same large resources. At a time when we’re working to create jobs, these burdensome requirements will be a step in the wrong direction.
This bill requires notice when there’s a significant risk that a breach may or has resulted in “identity theft, economic loss or harm, or physical harm.” There’s enough vagueness and breadth to cover situations that may not encompass what the drafters intended. Given the penalties at stake, the incentive will be to err on the side of over-notification.
Thus, it is not unreasonable for me and others to be alarmed at the possibility of consumer over-notification that becomes counterproductive to what we seek to accomplish.
I’m also concerned that the safe harbor is in name only. An over-worked Federal Trade Commission may find the easiest thing for a company to do in most instances is issue notice.
Further, I think it is troubling that this bill takes a “one size fits all” approach in requiring businesses to implement data security programs. What works for one large company will not necessarily work for a small company.
I also have amendments to S.1408, the Data Breach Notification Act and many of my concerns with that bill are similar to those with S.1151. I hope we can come together on these amendments and ensure that we aren’t unduly burdening American businesses with further unnecessary regulations that will hinder job growth by stifling innovation.
We have a lot of work to do. Thank you.