States Approach Federal Data Breach Law with Caution

With 47 different state laws on what companies are supposed to do when they become victims of cyberattack, is it time for federal legislation?
October 2014
Bornfree/ Shutterstock
Tod Newcombe
By Tod Newcombe  |  Columnist

When hackers made their way past hardware giant Home Depot’s security system last month, gaining access to credit card information for up to 60 million customers, it was considered the mother of all data breaches. But it’s only the latest in a growing series of hacking scandals. Between 2005 and 2014, there have been 4,695 breaches exposing 633 million records, according to the nonprofit Identity Theft Resource Center. The average cost of a breach to an organization is estimated at $3.5 million.

With no national data breach disclosure law on the books, retailers such as Home Depot, Target and Neiman Marcus (which were both victims of massive breaches last year) are forced to adhere to a patchwork of 47 state laws. Those laws vary in terms of who must comply, what defines personal information, what constitutes a breach and who must be notified. It’s led to a growing chorus of critics who say it’s time for a national standard.

While such a law won’t stop data breaches, a national law on disclosure could simplify the policies that companies must follow when reporting the theft of personal information. “A properly defined data breach notification standard would go a long way to guide organizations on how to address cyberthreats in their risk management policies,” testified Kevin Richards, senior vice president for federal government affairs at TechAmerica, an association for technology vendors, last year before the House Energy and Commerce Subcommittee. Richards further testified that the national law would be particularly helpful for smaller businesses that work across state lines, but “cannot afford teams of lawyers to navigate 47 data breach standards should something bad happen.”

More recently, U.S. Attorney General Eric Holder said a national breach law “would enable law enforcement to better investigate these crimes and to hold compromised entities accountable when they fail to keep sensitive information safe.” It would empower individuals to protect themselves, he said, while also avoiding placing unnecessary burdens on businesses that act responsibly.

Congress has tried and repeatedly failed to pass a national notification law. Currently, the federal government regulates data security as it relates to health care and banking, but not other industries, including retail, where the largest breaches have occurred. There is legislation pending on Capitol Hill: Sens. Tom Carper of Delaware and Roy Blunt of Missouri introduced a bill known as the Data Security Act that would require companies to notify federal agencies and individuals of any breach that affects more than 5,000 customers.

But state attorneys general have raised concerns about a national law. Connecticut Attorney General George Jepsen has said that while he would welcome a comprehensive national law, he’s worried that the feds could reduce the number and effectiveness of regulators at the state level who fight data breaches. Maryland Attorney General Douglas Gansler also says federal legislation would be helpful, “but it should not preempt state enforcement. Any federal standards should be a floor, not a ceiling, allowing states to enact stricter standards.”

That thinking reflects the National Conference of State Legislatures’ (NCSL) position on a national disclosure law. While not opposed to a baseline federal notification standard, states should have the authority to adopt standards that provide consumers with additional protection and notification, says James Ward, NCSL’s committee director for state-federal relations. “NCSL also supports state financial regulators and attorneys general to enforce any new federal data security breach notification standards.” Should Congress decide to preempt state law, he adds, it should only affect laws that are inconsistent with the federal standard and it should preserve state laws that apply to entities that may be excluded from the federal act.