Modern field guide to security and privacy

Opinion: Why we need a robust national standard for data breach notification

As President Obama has rightly suggested, Congress should pass a strong data breach notification law to better safeguard consumers' information exposed by hackers.

Reuters/File
Target was the victim of a massive data breach during the 2013 holiday season.

Last week's revelations that criminal hackers stole the records of 4 million current and former federal employees from the Office of Personnel and Management is a sharp reminder of the staggering toll of data breaches in the US. Over the past 10 years, more than 5,200 data breaches have exposed almost 800 million records, including people’s names and sensitive information such as Social Security Numbers, driver’s license numbers, and medical or financial records.

During the same period, states have enacted a dizzying variety of laws requiring companies to notify consumers in the event of a breach. As a result, we have a national patchwork quilt of differing requirements that together provide decidedly uneven protection.

The lack of a uniform federal standard for data breach notification also has created an unnecessarily complex situation for companies, which must now spend more time navigating this murky legal terrain than actually protecting consumer data. Congress should act swiftly to pass a strong federal data breach law that preempts all the conflicting state laws. If European lawmakers can aspire to create an ambitious “Digital Single Market” by preempting the laws of 28 nations to establish a uniform set of digital regulations for an entire continent, then surely the US can manage this for the narrow issue of data breach notification.

Currently, 47 states and the District of Columbia have enacted data breach standards of their own, requiring both public and private entities to notify individuals in the event of a breach involving their personally identifiable information. Each state law has different definitions for what constitutes a data breach, what delineates personal data, who must comply, and who must be notified. This variation not only creates expensive compliance issues for companies and confuses consumers, but leaves consumers in Alabama, New Mexico, and South Dakota – states that have yet to enact data breach notification laws – out in the cold.

Several federal data breach efforts have bipartisan support, and President Obama also endorsed the idea in January. However, several state attorneys general, such as California’s Kamala Harris, Massachusetts’ Maura Healey, and Illinois’ Lisa Madigan, have recently pushed back on proposals to preempt state data breach laws, arguing that doing so would negatively limit the role of states in fostering information security.

To be sure, state attorneys general have made a particularly concerted effort to pursue cases involving data breaches. For example, earlier this year, attorneys general from nine states settled with online retailer Zappos for failing to take better actions to protect consumer information after a 2012 breach. Similarly, in January 2014, California Attorney General Harris sued Kaiser Foundation Health Plan, alleging the company moved too slowly when notifying its employees that their information was compromised in a 2011 security breach.

The proposed federal data breach laws would still allow state attorneys general, in addition to the Federal Trade Commission, to take action against companies that fail to comply with the federal data breach standard, similar to what they can do when companies fail to uphold other federal consumer protection laws like the Fair Credit Reporting Act. Rather than reducing state enforcement power, these legislative efforts actually expanded it. For example, the Dodd-Frank Act authorized state attorneys general to bring civil action against companies that engaged in unfair, deceptive or abusive practices. Many of the proposed federal data breach laws would offer states similar authority to pursue civil actions.

The primary reason to pass federal data breach legislation is to simplify the compliance process for companies so that they can focus on protecting consumers rather than navigating complex rules, and the only way to provide this is by preempting state laws. Congress should reject all attempts to simply add on an additional layer of regulation that would not benefit consumers or industry. Instead, a strong federal data breach standard is needed to ensure not only that all US consumers have equal protections and receive timely notifications, but reduces the burden on companies in complying with breach notification requirements.

Daniel Castro is the Vice President for the Information Technology and Innovation Foundation (ITIF), and Alan McQuinn is a Research Assistant at ITIF.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.