Single US Breach Notification Law: StalledPatchwork of 47 State Laws Will Remain
As Europe counts down to implementing its General Data Protection Regulation, which will require EU-wide data breach notifications for the first time, similar efforts to enact a single federal law in the United States remain stalled, with little indication that Congress will act on the matter this year.
It's not that the United States lacks data breach notification. Forty-seven states, the District of Columbia and three territories have their own data breach notification requirements. Only Alabama, New Mexico and South Dakota have no data breach notification law.
The downside to nationalizing data breach notification ... is that the draft federal laws proposed to date have been weaker than what's already provided by some state laws.
Businesses that operate in more than one jurisdiction have griped over the years of the burden they face in having to comply with as many as 51 separate breach notification requirements. And many lawmakers and President Obama have endorsed the concept of nationalizing data breach notification. But support breaks down when the details of the legislation are dissected.
Committees Act, Then Nothing
Two measures to nationalize data breach notification cleared House committees last year, but many other barriers remain that will prevent their enactment in an election year when time is of the essence and legislators would rather return to their districts to campaign than spend a muggy summer and a variable autumn to legislate.
The House Financial Services Committee, by a 46-9 vote, approved on Dec. 9 the Data Security Act of 2015, which would establish minimum security protections at businesses as well as create a national requirement for data breach notification (see House Panel OK's National Breach Notification Bill). On April 15, another House committee - Energy and Commerce - approved similar legislation known as the Data Security and Breach Notification Act by a 29-20 vote (see National Data Breach Notification Bill Advances).
Both bills, if enacted, would oust existing state and territorial laws with a single, national breach notification process. Still, Republican leaders who control the House have not indicated whether they'll bring up either of the bills for a vote by all of its members. Even if one bill passes the House, it's extremely unlikely that the Senate would get around to enacting the legislation.
The benefit to nationalizing data breach notification is that reporting breaches to law enforcement, citizens and consumers and other stakeholders would be simplified. Organizations would only have to follow one set of rules, not 51.
But the downside to nationalizing data breach notification - at least in the eyes of those wanting to protect consumers - is that the draft federal laws proposed to date have been weaker than what's already provided by some state laws.
Weakening State-Provided Protections
Nationalizing data breach notification means that a weaker federal statute would supplant stronger laws in a number of states. Take, for instance, the Commonwealth of Massachusetts and the State of California, which have data breach notification laws that contain prescriptive security processes.
Massachusetts Assistant Attorney General Sara Cable, testifying before Congress last year, argued that preempting state laws "represents a significant retraction of existing protections for consumers at a time when such protections are imperative" (see Barriers to a Breach Notification Law). She added: "Minimum data security standards are important and necessary, but the proposed standards leave consumers' data vulnerable."
But when some Democratic lawmakers tried to amend the measure to allow states to keep their more stringent security requirements, the majority of committee members balked. The bill's sponsor, Republican Rep. Marsha Blackburn of Tennessee, said the legislation was designed to be narrowly focused and amending it to allow states to continue to enforce their more stringent security requirements, would "perpetuate concerns that we have with a patchwork of state laws. This is a problem that has grown that has not diminished through the years. ... We know the amendment is broad; it would add to the confusion."
Such disagreements among lawmakers signify why it would be too tough to get national data breach notification legislation enacted this year. Rep. Michael Burgess, R-Texas, points out that national data breach notification measures have been before Congress since 2008 without coming up for a vote in either the House or Senate.
Getting Congress to pass any legislation is a complex, sometimes ugly effort. As the old saw goes: Laws are like sausages; it is better not to see them being made. As for nationalizing data breach notification, it'll take more time to season the sausage properly.
Correction: An earlier version of this story incorrectly stated that South Carolina did not have a data breach notification law. South Dakota does not have a data breach notification law.