In the wake of recent high-profile data breaches suffered by major companies that exposed over 100 million customer records to identity theft, the House Energy and Commerce Committee announced plans to conduct a sweeping review of the data security and privacy issues affecting American consumers and businesses. The Committee will divide the review into two phases by first surveying current security measures used to protect personal information online before turning to bolstering privacy protections for Internet users. Committee Chairman Rep. Fred Upton (R-MI) noted that the recent rise in cyber attacks seeking access to personal data necessitates a reassessment of the security standards used by companies that collect customer information. Communications and Technology Subcommittee Chairman Rep. Greg Walden (R-OR) echoed Sen. Upton’s concerns and stated that the review aims to produce policies which will strike a balance between protecting consumer information and maintaining innovation.
The Committee’s review will likely serve as a launching point to evaluate existing cybersecurity proposals and develop new data protection legislation. In April, Sen. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act” to establish federal consumer privacy protections that would apply across industry sectors and level stiff civil penalties against companies that mishandle or lose customer information. To protect the privacy of young social media users, Rep. Joe Barton (R-TX) and Ed Markey (D-MA) proposed the “Do Not Track Kids Act,” which would establish a “Digital Marketing Bill of Rights for Teens,” require companies to erase personal information upon request, and prohibit the storage of user geolocation data. The storage of geolocation data garnered recent media attention following reports that Apple’s iPod and iPad operating systems tracked user movements through a software “bug” which the company later removed. States such as California have also attempted to force social media providers to afford customers more control over their online privacy settings, facing staunch opposition from many major Internet companies.
Despite some industry opposition, federal agencies, lawmakers, privacy advocates, and other online companies generally agree that some form of comprehensive data security legislation is necessary as more Americans disclose personal information online. The Committee has already heard testimony from companies damaged by cyber attacks that government support will be crucial to securing customer data. More than 45 states and U.S. territories currently possess some form of data breach notification or protection laws, creating a confusing and occasionally contradictory patchwork of regulations for customers and businesses to navigate. With the announcement of its data security and privacy review, the Committee hopes to soon place these diverging policies under one legislative roof.