House passes Data Breach and File Sharing Disclosure Bills

The House of Representatives yesterday passed two bills that CDT testified on back in May.  H.R. 2221, focusing on data security, would create a nationwide data breach notification standard.  More importantly, from CDT's point of view — since numerous state laws already have effectively made it the law of the land to notify consumers about data breaches — the bill also would give consumers greater ability to review and/or control their data broker files.  This is a fundamentally good bill, and could be improved further if it were married up with Senator Leahy's data security bill, S. 1490, to include the best concepts of both.

The second bill, H.R. 1319, embraces the sensible principle that file sharing functions should be clearly disclosed to users in order to avoid inadvertent sharing of files.  CDT warned back in May that this is nonetheless a tricky area in which to legislate, as sharing files (which are just data) is a core behavior of Internet applications of all types.  Indeed, the original version of the bill would have imposed ill-fitting disclosure obligations on Web browsers, Web servers, anti-malware software, and more.  Fortunately, the revised bill passed by the House yesterday is greatly improved.  It eliminates the prior bill's use of the term "peer-to-peer," which after all is just a kind of architecture, not a specific function.  It significantly narrows the type of "file sharing software" to which the bill would apply, by, among other things, excluding Web servers and excluding software that transfers files only when the file's owner initiates the transfer or only to recipients the owner has pre-selected.  Some questions remain, such as whether the bill would (unintentionally) apply to cookies.  It remains to be seen whether the Senate will take up the issue; unlike H.R. 2221, there are currently no Senate bills covering similar ground.