Data thefts at U.S. retailers, without any doubt, have gotten the attention of members of Congress. There is another push for a single federal law to protect customers from such breaches. But, as expected, those efforts face the same roadblock as in the past. There are already dozens of overlapping state laws in place that proponents of a federal law say complicate things. Congressional hearings and calls for new authority and powers by consumer protection agencies followed quickly after the breaches at Target Corp., Neiman Marcus and Michaels Companies came to light.
Several Senate bills that failed to get traction in past years have been revived. Powerful Democrats on commerce, judiciary, intelligence and homeland security committees are now attempting to get something done. But the new bills are pretty much like the ones that failed to advance on more than one occasion in previous sessions. The question remains – should a federal law pre-empt state regulations? Clearly, “Pre-emption” will be a major part of any discussions in Congress.
Although federal laws already regulate how specific industries, such as banks and hospitals, handle compromised data security, certain other kinds of companies, including retailers, face no such uniform standard. Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach. With that background, the negotiations surrounding fitting state standards under an umbrella federal law face a struggle between companies, consumer advocates and state authorities. I am not at all sure how that debate will work out. Large companies working across state lines contend that state laws present a patchwork of regulations, and compliance with those laws poses a challenge. For example, companies often issue one nationwide notice to consumers with state-specific supplements at the end. The matrix of state laws makes that much more difficult.
The National Retail Federation, in a January letter to Congress, restated its decade-old position in favor of a nationwide standard that would pre-empt state rules. The lobbying group wrote to lawmakers:
A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live.
A number of state attorneys general are concerned that federal standards would dilute their power to pursue violators. For example, Illinois Attorney General Lisa Madigan said that states must keep their ability to enforce. She said that so long as the state attorneys general retain the ability to respond to their consumers, a federal law would be acceptable. It should potentially be seen as a floor and not a ceiling, she said.
Consumer advocates say that the call for a single law by companies masks the goal of having a weaker federal standard that would trump stronger laws on the books in states like California and Massachusetts. Those two states have very good laws. Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group, observed:
None of the federal proposals are as strong as the strongest state laws and that’s wrong. I don’t think we need (a federal law) that’s weaker than California’s.
California was the first state to adopt a data breach law in 2003. After a decade of fine-tuning, that law requires a detailed disclosure to consumers “in the most expedient time possible and without unreasonable delay” when personal information, including emails with passwords, is “reasonably believed” to have been stolen. Even though many state requirements are broadly similar, some states, such as Montana and Ohio, require notification only if a breach poses or is believed to pose harm or material risk such as identity theft.
Many states also use more limited definitions of what personal information is included. A common definition includes name combined with the Social Security number, driver’s license number or payment card number together with information needed to access financial records. My state of Alabama, along with Kentucky, New Mexico and South Dakota, does not have its own data breach notification laws.
It will be interesting to see how all of this works out. It would seem that a strong federal law that doesn’t preempt state laws could be developed in a relatively short time span. The consuming public deserves to be protected, and they may even demand it if more serious breaches occur. Hopefully, those in positions of authority at both the federal and state levels will cooperate and get something done.
Source: Insurance Journal
Contact us today for a free legal consultation with an experienced attorney.
Fields marked *may be required for submission.
If you would like to subscribe to the Jere Beasley Report digital edition, simply visit our Subscriptions page and provide the necessary information or call us at 800-898-2034.
Attorney Advertising - Prior results do not guarantee a similar outcome.