Last week's revelations that criminal hackers stole the records of 4 million current and former federal employees from the Office of Personnel and Management is a sharp reminder of the staggering toll of data breaches in the US. Over the past 10 years, more than 5,200 data breaches have exposed almost 800 million records, including people’s names and sensitive information such as Social Security Numbers, driver’s license numbers, and medical or financial records.
During the same period, states have enacted a dizzying variety of laws requiring companies to notify consumers in the event of a breach. As a result, we have a national patchwork quilt of differing requirements that together provide decidedly uneven protection.
The lack of a uniform federal standard for data breach notification also has created an unnecessarily complex situation for companies, which must now spend more time navigating this murky legal terrain than actually protecting consumer data. Congress should act swiftly to pass a strong federal data breach law that preempts all the conflicting state laws. If European lawmakers can aspire to create an ambitious “Digital Single Market” by preempting the laws of 28 nations to establish a uniform set of digital regulations for an entire continent, then surely the US can manage this for the narrow issue of data breach notification.
Currently, 47 states and the District of Columbia have enacted data breach standards of their own, requiring both public and private entities to notify individuals in the event of a breach involving their personally identifiable information. Each state law has different definitions for what constitutes a data breach, what delineates personal data, who must comply, and who must be notified. This variation not only creates expensive compliance issues for companies and confuses consumers, but leaves consumers in Alabama, New Mexico, and South Dakota – states that have yet to enact data breach notification laws – out in the cold.
Several federal data breach efforts have bipartisan support, and President Obama also endorsed the idea in January. However, several state attorneys general, such as California’s Kamala Harris, Massachusetts’ Maura Healey, and Illinois’ Lisa Madigan, have recently pushed back on proposals to preempt state data breach laws, arguing that doing so would negatively limit the role of states in fostering information security.
To be sure, state attorneys general have made a particularly concerted effort to pursue cases involving data breaches. For example, earlier this year, attorneys general from nine states settled with online retailer Zappos for failing to take better actions to protect consumer information after a 2012 breach. Similarly, in January 2014, California Attorney General Harris sued Kaiser Foundation Health Plan, alleging the company moved too slowly when notifying its employees that their information was compromised in a 2011 security breach.
The proposed federal data breach laws would still allow state attorneys general, in addition to the Federal Trade Commission, to take action against companies that fail to comply with the federal data breach standard, similar to what they can do when companies fail to uphold other federal consumer protection laws like the Fair Credit Reporting Act. Rather than reducing state enforcement power, these legislative efforts actually expanded it. For example, the Dodd-Frank Act authorized state attorneys general to bring civil action against companies that engaged in unfair, deceptive or abusive practices. Many of the proposed federal data breach laws would offer states similar authority to pursue civil actions.
The primary reason to pass federal data breach legislation is to simplify the compliance process for companies so that they can focus on protecting consumers rather than navigating complex rules, and the only way to provide this is by preempting state laws. Congress should reject all attempts to simply add on an additional layer of regulation that would not benefit consumers or industry. Instead, a strong federal data breach standard is needed to ensure not only that all US consumers have equal protections and receive timely notifications, but reduces the burden on companies in complying with breach notification requirements.
Daniel Castro is the Vice President for the Information Technology and Innovation Foundation (ITIF), and Alan McQuinn is a Research Assistant at ITIF.