Effort for Federal Data Breach Standard Turns on State Laws


An uptick in consumer data breaches is reinvigorating efforts to pass a national standard on how to prevent personal information leaks, and how to deal with the fallout.

But to reach a consensus that has escaped Congress in previous years, lawmakers will have to iron out the issue of how a federal data breach standard will interact with similar state laws.

That issue has divided a House subcommittee where two competing data breach bills landed, pitting the business community against consumer and privacy advocates.

The proposals in the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade both seek to create a national standard for preventing data breaches and requiring companies to notify consumers whose data has been breached. But they differ on how they deal with relevant state laws.

“If you’re going to have a federal standard, it needs to be strong enough to really enhance consumer protection, and it certainly, absolutely should not preempt stronger state laws,” Alex Bradshaw, a legal fellow at the Center for Democracy and Technology, said in an interview.

Bradshaw said the Center for Democracy and Technology, a Washington-based digital rights group that advocates for stronger data protections, doesn’t fully support any of the four proposals currently before Congress. Instead, the group is seeking tough protections that don’t impinge on state statutes.

But for the business community, federal legislation that supersedes that of the states is essential to reducing the cost and regulatory complexity of navigating the 40-plus state laws governing data breaches.

Mallory Duncan, general counsel of the National Retail Federation, said in an interview that disparate data regimes at the state level “create traps for the unwary” as companies run up legal expenses in order to comply.

“For many of these mid-sized companies, they’ve got tight budgets, they’re spending their money that should be spent on remediating the problem, and they’re spending it hiring law firms,” he said.

A draft bill sponsored by Rep. Marsha Blackburn (R-Tenn.), the subcommittee’s vice-chair, includes a provision that would nullify any state law that pertains to data security or breach notification. That portion drew dissension at a panel markup last month, when seven Democrats, including Rep. Frank Pallone of New Jersey, the committee’s ranking member, voted for an amendment that would have removed language they called “far too broad.”

The amendment was rejected on a party line vote, with 11 Republicans opposing it. The subcommittee then approved the bill by voice vote.

A competing bill in the subcommittee, H.R. 580, sponsored by Rep. Bobby Rush (D-Ill.), would give greater leeway to state law. The measure would only supersede state laws that deal with financial information, Social Security numbers, drivers license numbers and other government-issued identifiers. The subcommittee has not voted on the bill.

Similar legislation introduced by Sen. Bill Nelson (D-Fla.), S. 177, mimics the preemption provision in Rush’s bill. The Senate Commerce, Science and Transportation Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security held a hearing on data breaches in February, but the panel has yet to mark up the Nelson measure.

Forty-four states already have laws that trigger consumer notification if potentially harmful personal information is breached, according to an analysis by the law firm BakerHostetler LLP.

So far, 43 bills have been introduced in Congress since 2005 to deal with data breaches, according to an analysis by the House Commerce, Manufacturing and Trade Subcommittee. None has received a floor vote in either chamber.

Duncan, the National Retail Federation counsel, said that in previous years legislation often had broad exemptions for certain types of companies, such as internet service providers.

“If you pull any of the bills at random from the last two years and look at them, you’ll find very substantial notice holes,” Duncan said, referring to exceptions to consumer notification requirements. He said that while the Blackburn bill is an improvement on previous efforts, the National Retail Federation has stopped short of endorsing it because of provisions that would mandate fines for violations.

The Blackburn measure would require companies to adopt “reasonable security measures and practices to protect and secure personal information” and notify consumers within 30 days when that information is breached.

The Federal Trade Commission would be tasked with enforcing the measure, including the discretion to decide whether security practices are reasonable.

The urgency of passing legislation has grown alongside the rise in cyber theft: 783 data breaches were reported in 2014, compared with 614 in 2013, a 28 percent increase, according to the Identify Theft Resource Center, a non-profit that educates consumers on identity fraud.

Among the high-profile breaches last year were data leaks at eBay, discovered in September and impacting 145 million people, and at JPMorgan Chase, discovered in July and impacting 76 million households, according to a study by the Ponemon Institute, a privacy and information security research group.

A breach of records held by health-insurer Anthem Inc. discovered in January, impacting more than 78 million people, rekindled legislators’ attention.

Sen. Lamar Alexander (R-Tenn.) and Sen. Patty Murray (D-Wash.), the chairman and ranking member of the Senate Health, Education, Labor and Pensions Committee, issued a public letter last month to Anthem’s president and chief executive officer criticizing the company’s delay in notifying affected consumers.

The letter noted that more than 50 million affected consumers had not yet been made aware of the breach more than a month after it was discovered.

Voters are increasingly aware of breaches, and they say the data thefts are impacting their purchasing habits. A Morning Consult poll in August found that 65 percent of registered voters say they are less likely to engage in electronic transactions with companies that suffer from data breaches.

Meanwhile, a Morning Consult poll conducted earlier this year found that 79 percent of voters surveyed would support allowing the government to fine companies if they fail to protect consumer data. All proposals under consideration on Capitol Hill would allow the Federal Trade Commission to do exactly that.

Some lawmakers are confident that growing awareness will translate into legislative action.

“It’s fortunate that we’re much more aware of the problem,” Rep. Jim Langevin (D-R.I.) said at a Bloomberg Government event last month when he announced the introduction of his breach notification bill, H.R. 1704. “Unfortunately, the awareness is coming up because of the major hacks.”

Langevin’s bill deals exclusively with consumer notification, skirting the issue of protection standards. No action has been taken on the measure.

“I think the public has a right to be protected, and if there is a hack that the public needs to be informed,” said Langevin, a member of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. “And I feel very good that we’ll see legislation enacted on that as well in this Congress. There’s a real critical mass around this.”

Morning Consult