Lawmakers are restarting a long-running effort to enact a single federal law specifying when consumers should be notified when their credit cards, Social Security numbers or other personal information has been hacked or compromised.
A main question is what a federal standard would look like and what would trigger a requirement that consumers be notified they might be at risk of fraud or theft. Industry groups say it’s key for the federal law to pre-empt a patchwork of existing state laws on data breach notification.
But Democrats and privacy groups have raised concerns about pre-empting state laws with a federal law that might be weaker than some state laws.
Forty-seven states and the District of Columbia have laws on the books requiring companies to notify consumers in the event of a data breach involving personally identifiable information, according to the National Conference of State Legislatures. Only South Dakota, Alabama and New Mexico lack such laws.
Industry groups say complying with so many different state laws is costly, diverts resources away from addressing the breach and slows down efforts at communicating information to customers.
“Responding to a data breach for a company of any size is difficult, especially given the need to assess whether the breach could trigger notification provisions in any one of 47 states, whether they have consumers that live in any of those states, who to notify, how to notify, what information to include and what the timelines are for notification,” Elizabeth Hyman, executive vice president for public advocacy at TechAmerica, said at a House Energy and Commerce subcommittee hearing last week.
Any federal law needs to be the standard with which all companies comply, Hyman told lawmakers.
“If you’ve got 47-plus laws today, adding a 48th or 52nd law on top of it doesn’t accomplish much,” Brian Dodge, executive vice president for communications and policy at the Retail Industry Leaders Association, told CQ Roll Call.
New Jersey Republican Rep. Leonard Lance said at the hearing a federal law would streamline requirements and provide certainty to businesses and consumers, but that it would only be effective if it pre-empted the existing 47 state laws.
In January, President Barack Obama proposed data breach notification legislation to create a “single, strong national standard,” noting there was a “patchwork” of state laws.
But the call for a single standard that replaces the multitude of state laws worries some privacy advocates and Democrats who are concerned tough requirements in some states will be replaced with a watered-down federal standard.
“In addition, businesses that operate nationally often follow the strictest state laws, giving our constituents strong data security and breach notification protections coverage regardless of what is written in any individual state law,” Frank Pallone Jr. of New Jersey, the ranking Democrat on the Energy and Commerce Committee, said at the hearing. “And therefore, I can’t support any proposal that supersedes strong state protections and replaces them with one weak federal standard.”
That concern has also been expressed by Alvaro Bedoya, executive director of the Center on Privacy and Technology at the Georgetown University Law Center.
There’s a “real threat that any data breach standard that passes through Congress” would “water down existing privacy protections,” he said.
If a federal law is going to be enacted, at a minimum it shouldn’t “prevent states from legislating on issues that the federal law declines to address,” said G.S. Hans, policy counsel and director of the Center for Democracy and Technology’s West Coast office.
In an issue brief, which mentions that breach proposals introduced last Congress pre-empted state laws to different degrees, the group says federal pre-emption shouldn’t be overly broad.
“If a state wants to protect information not addressed by the federal law (such as medical records or other sensitive personal information), it must be allowed to,” it states.
In a statement, Ellen Bloom, senior director of federal policy at Consumers Union, said a federal standard should serve as a “floor, not a ceiling, so that states that want to do more to protect consumers can do so.”
The National Association of Attorneys General hasn’t taken a position on federal data breach legislation.
The way the National Retail Federation sees it, because of the different state requirements, there should be a federal breach notification law based on a consensus of state requirements.
There are some things that most states do and that should be a model for a national standard, said Paul Martino, the group’s vice president and policy counsel.
“There are other things very few states do and they may be stricter or less strict but we think there has been a decade of state law in this area and Congress can work to create a federal standard that reflects the strong consensus of those standards at the state level,” he said.
While data breach notification may be less contentious than some other cybersecurity matters, details like which breaches should trigger notification also loom as a matter of debate.
“The practical challenges — those are the ones we have to resolve,” Welch said at the hearing. “What do we do about a national standard? What do we do about having enforcement at the AG level?
“When should customers be notified? How do you give some time for a company that’s been breached to do law enforcement investigation and inquiry into what the scope of the breach was?” Welch asked.