The flood of massive data breaches – including, most recently, the Equifax breach that compromised the personal data of around 145 million U.S. consumers – has increased the pressure on Congress to pass sweeping federal data security and breach reporting legislation. While it’s difficult to project whether such legislation will be enacted in the near future, and what it will look like in the event that it is, an important and contentious question has already arisen: If federal legislation is ultimately enacted, should preempt the patchwork of state and local laws that presently govern this area?
Setting aside the handful of industries – including healthcare and finance – that are already subject to federal data security laws, the data security and breach reporting obligations of most U.S. organizations are established by a medley of state and local laws. This legal patchwork is confusing and arduous for organizations and data subjects to navigate, particularly since the types of data elements protected, and the processes for determining when a breach must be reported, vary from state to state. At least in theory, therefore, federal preemption in this area would be a step in the right direction.
Not so, say the New York and Massachusetts attorney general’s offices, both of which have been active in the data security space. On October 25, 2017, these offices urged U.S. House members to use federal law to set a floor for data security and reporting standards; not a ceiling. Setting a federal ceiling, argued Kathleen McGee, Chief of the Bureau of Internet and Technology at the New York Attorney General’s Office, would stifle innovation in this area: “States have proven the ability to act quickly” to address technological changes that impact data security, Ms. McGee said. Congress, she added, “should not limit states’ ability to innovate in this area.”
Touting the effectiveness of state-level legislative and enforcement efforts, assistant Massachusetts Attorney General Sara Cable noted that her office has received over 19,000 notices since its data breach notification law went into effect in 2007, including 4,000 in 2016 alone. These notices, she said, have revealed that, while “there are entities that are doing it right,” she sees “far too often that entities are not treating consumer information like the valuable asset it is.” “I would submit,” she continued, “that any [federal] law that is proposed that is weaker than the law that we currently have today [in Massachusetts] is worse than doing nothing.”
We will keep you posted as federal lawmakers continue to grapple with the escalating threats to personal data. In the meantime, we strongly encourage organizations to take appropriate steps to ensure that they are compliant with their current state law data security obligations. A growing number of states now require subject organizations to develop policies and procedures to safeguard the personal information that they hold, and the definitions of “personal information” under state law continue to expand to cover additional data elements like health information, email addresses and usernames, and biometric data. And state agency investigations and enforcement actions are not the only area of concern for organizations that fail to comply with their data security and reporting obligations. Some state laws provide a private right of action and, in an ominous development, 26 employment class actions lawsuits in the past three months alone have alleged violations of the Illinois Biometric Information Privacy Act.