In recent years, we have seen growing influence of state attorneys general in the realm of consumer data protections. State laws are increasingly requiring AGs be notified in the event of a breach, and state AGs are taking action for noncompliance, filing lawsuits for failure to notify within the required timeframe and reaching hefty monetary settlements for paper based data breaches.
Then on March 19, 2018, a group of 32 attorneys general signed a letter urging Congress to carefully consider the value in current state data breach notification regulations in pursuing a federal standard. Specifically, the group cautioned that preempting existing state security and data breach laws would be detrimental and undermine a state’s ability to minimize threats and protect consumers. The letter continued to state that the proposed bill in question, the Data Acquisition and Technology Accountability and Security Act, would:
- Reduce transparency to consumers, as the proposed bill allows a breached entity to determine, by their own judgement, if consumers should be notified.
- Delay notification to affected individuals, as the proposed bill outlines that affected individuals can be notified after the harm has occurred.
- Narrow focus on large-scale data breaches, as the proposed bill only addresses large, cross-jurisdictional breaches affecting 5,000 individuals or more.
The March 19 press release from Illinois Attorney General Lisa Madigan, who led the coalition of 32 attorneys general, includes this excerpt from the letter:
“States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy.”
Some members of congress have echoed this concern. A California representative, for example, was cited in February as having expressed concern that a national standard would “not recognize that some states such as New York and Massachusetts have good standards, higher standards, and a national standard would certainly not match that.” It’s also worth noting that, as the first state to enact a breach notification law, California continues to be a model of stringency.
Each state has data breach notification regulations, with South Dakota and Alabama both passing new breach laws the last week of March. Each state, the District of Columbia, and three territories have their own unique breach notification triggers, definitions, and requirements when it comes to assessing a privacy incident, determining if the incident is a data breach requiring notification, and then providing notification in a specified format to regulators and impacted individuals–and all within an increasingly specific time frame.
Nothing New Under the Sun: Talk of Federal Standards for Breach Notification Has Persisted for Years
Proposed legislation crops up annually in DC, typically following a largely publicized and poorly handled data breach impacting many, many Americans across the country. If you’ve been in privacy for a few years, this recent letter may be giving you deja vu, as in 2015, 42 state attorney generals sent a letter to Congress effectively warning against a federal data breach law not preclude current state laws or a state’s ability to enact new, and more stringent, laws.
In fact, performing a quick search for legislation about data breach notification on congress.gov shows nearly another bill introduced each legislative session, only to ultimately languish in the halls of the Capitol. This is good news if you are a consumer or an advocate for the rights of states because federal legislation typically gets too watered down as a matter of course to provide acceptable protection.
Having trouble keeping up with the ever-changing breach notification laws?
Access up-to-date overviews of U.S. and international data breach notification requirements — including GDPR — in the IAPP-RADAR Incident Response Center, a free tool available exclusively to IAPP members. Stay informed of incident risk assessment and reporting requirements, keep up with the penalties for non-compliance, and view a list of recently passed legislation all in one easy access tool.
Given this historic and ongoing pushback for a federal breach notification law, what continues to motivate Congress to keep re-introducing such legislation? Almost invariably the impetus is a poster child for bad behavior and this time the Equifax breach is likely to blame. Attorney General Madigan’s March press release mentioned the Equifax breach by name. At the February 14 meeting of the House Financial Institutions and Consumer Credit subcommittee, which discussed the possibility of instituting a federal data security regulatory requirement, the growing prevalence of data breaches in general – and the 2017 Equifax breach in particular – were both cited as motivating factors. As organizations continue to experience large, and widely publicized data breaches, we can expect to see more legislative proposals pop up in response without garnering bipartisan support in a time when partisanship is the currency.
So are we likely to see a federal standard that would sufficiently balance consumers needs while simplifying the current complexity of compliance with data breach notification in the near or distant future? Historically, it’s looking to be an uphill battle, and one we are destined to revisit over and over again.