States and Feds Disagree on Data Breach Proposals

by | June 16, 2015

By Sarah Breitenbach

As Americans' personal information continues to move online, everything from medical records to mothers' maiden names, Social Security numbers and fingerprints are increasingly up for grabs. And the states and the federal government are at odds on how to respond.

Since California first began enforcing data breach reporting requirements in 2003, 46 other states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have implemented varying degrees of regulation, including requirements to provide free credit monitoring to victims, quickly notify consumers of a breach and tell state attorneys general or other agencies about compromised records. States are toughening their laws by broadening the definition of "personal data," requiring timelier reporting and expanding the number of people or agencies companies must notify of a breach.

In contrast, Congress is just now coalescing around federal standards. Pending legislation would preempt the collage of state laws and enforce a definition of personal information that is narrower than what many states use.

Caught in the middle are businesses, which would prefer a single federal standard to the different state requirements, and consumers who must scramble to protect their bank accounts, credit cards and credit worthiness from thieves who steal their identities to attack their assets.

Scott Talbott, a senior vice president of government affairs with the Electronic Transactions Association, which represents banks, companies that make credit card swipe terminals and online payment companies, said his organization welcomes a tough standard, but that continuing to comply with so many state regulations is complicated.

Without a federal standard, reporting breaches will continue to be a cumbersome and expensive task, he said.

"Letting consumers know what to expect with one law we think is preferable, is more efficient and works better for all parties involved in the current system," Talbott said.

David Thaw an assistant professor of law and information services at the University of Pittsburgh, said the proposed federal Data Security and Breach Notification Act of 2015 is just a reporting law _ one that is less stringent than many state laws. What's really needed, Thaw said, is a broad federal law that would require companies to have better cybersecurity to protect consumers' information and privacy from breaches.

He said the patchwork of state laws more effectively protects consumers, and that complying with them is not as hard as companies say it is.

"I am 100 percent certain I could write a computer program which would take all of the inputs from a given data breach and spit out all the notification letters," he said. "It's not hard. There are very good attorneys out there who can put out all the notifications for all the jurisdictions and get it right and get it done."

With hacking attempts numbering into the thousands each day, hundreds of U.S. data breaches occur annually. In the last two years, retail giants such as Target, Home Depot and eBay have been hacked, exposing the personal information of millions of customers. Health insurance companies such as Anthem, which saw 80 million records compromised during a breach in January, have also become targets of thieves who use medical data to cobble together enough information to defraud people.

According to the Identify Theft Resource Center (ITRC), there have been more than 5,000 breaches in the United States affecting more than 780 million records containing personal information since the center began tracking them in 2005. So far this year there have been 348 breaches which compromised more than 100 million records, according to ITRC.

At least 32 states considered legislation this year that would establish or expand data breach policies, according to the National Conference of State Legislatures. The proposals include expanding the kinds of personal information that if lost or stolen trigger a report to consumers, requiring companies to report breaches to state attorneys general and extending data protections to students' information.

In May, Illinois lawmakers updated the state's 2005 Personal Information Protection Act to require companies to report breaches to the attorney general's office. The updated law expands the definition of "personal information" to include records of where a customer has been, online browsing details and purchase histories.

Proponents say that requiring companies and organizations to notify an attorney general of a breach guarantees that consumers will receive information about their compromised data and that breaches can be appropriately investigated.

The bill is one of the most comprehensive in the nation, said Democratic Illinois Attorney General Lisa Madigan. Republican Gov. Bruce Rauner has not said whether he will sign it.

"Identity theft is an enormous problem," Madigan said. "It's sometimes very difficult to identify, very difficult to clean up, and it can have an enormous impact on somebody's ability to function in our world."

Twenty-one states and Puerto Rico require companies to report data breaches to the attorney general's office or another state agency. Three more states _ Montana North Dakota and Washington _ have similar laws that will take effect by the end of the year.

In Connecticut, considered to be at the forefront of data breach policy, companies have been required to report their breaches to the attorney general since 2012. Connecticut's Democratic attorney general, George Jepsen, said that the law has forced many companies to disclose breaches they otherwise wouldn't have reported. His office now receives about 400 breach notifications a year.

The vast majority of the breaches are small and not harmful, Jepsen said. But Connecticut residents are better protected, he said, because his office has the power to investigate the breaches and pursue legal action if companies don't do what they are supposed to do.

"If Connecticut has 400 breaches, I guarantee you there's no way the feds are going to be looking at all 400," Jepsen said. "There continues to be an important role for states' attorneys general. We've got the boots on the ground to do the work."

Stateline | Nonpartisan, Nonprofit News Service of the Pew Center on the States |  |  @pewstates