Breach Bill: Adverse Impact on Privacy?National Notification Law Would Eliminate State PII Safeguards
A compelling argument for a national data breach notification law is that businesses would need to comply with only one set of standards, a point made by President Obama on Jan. 12 in remarks delivered at the Federal Trade Commission:
"Right now, almost every state has a different law on this, and it's confusing for consumers and it's confusing for companies - and it's costly, too, to have to comply to this patchwork of laws."
President Obama explains why he sees a need for a national data breach notification law.
Businesses don't like the fact they must comply with 47 different state notification laws and, on the surface, enacting a federal statute to pre-empt state laws makes sense. But would simplifying data breach reporting justify the loss of privacy protections a handful of states provide citizens if a single national law is enacted? A national statute, as proposed in draft legislation, wouldn't just standardize when consumers and authorities would be notified of a breach; it would also usurp other security measures aimed at safeguarding citizens' personally identifiable information that some states provide.
Take, for instance, Massachusetts, which in 2010 enacted one of the most stringent IT security requirements any government has imposed on businesses. The commonwealth requires businesses and other organizations to take a number of proactive steps to secure personally identifiable information on any state residents.
The draft federal legislation to be considered at a March 18 hearing of the House Energy and Commerce Committee would pre-empt the Massachusetts Regulations should it become law (see Seeking Compromise on Data Breach Notice Bill).
Massachusetts Assistant Attorney General Sara Cable will tell lawmakers at the hearing that the state objects to a national law that would eliminate privacy protections the state has granted its citizens.
"Ensuring the security and privacy of Massachusetts residents' personal and financial information is a priority of our office," says Jillian Fennimore, the AG's deputy press secretary. "We strongly oppose any legislation that undermines the protections now afforded to consumers in our state."
Massachusetts demands a lot from those holding personal information about its citizens. Its regulations require each organization to implement a written comprehensive information security program to protect citizens' PII, and to designate at least one employee to maintain the program.
The Massachusetts rules are quite prescriptive. For example, they require businesses to block access to user identification after multiple unsuccessful attempts to gain access, and they require the encryption of all transmitted records and files containing PII that travel across public networks or are sent wirelessly.
When TD Bank agreed to pay $625,000 in a settlement last year after a breach, then-Massachusetts Attorney General Martha Coakley pointed out that the fine didn't just cover the failure to provide timely notification to consumers and authorities but for also failing to properly secure PII: "Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost."
Less Stringent Legislation
By contrast, the federal draft breach notification legislation to be considered at the House hearing isn't explicit on how businesses and other organization should ensure data security. The section of the measure titled "Requirements for Information Security" is a mere 43 words in length, and states:
"A covered entity shall implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access as appropriate for the size and complexity of such covered entity and the nature and scope of its activities."
A federal law would give businesses far more leeway than does the Massachusetts regulation in deciding how best to secure the privacy of the data they store. That approach would find favor among the majority in Congress who have a distaste for government regulation and believe businesses - not government - know best how to secure their IT.
But doesn't Massachusetts have a right to decide how best to protect its citizenry? Couldn't Congress find a compromise, where it standardizes how businesses notify consumers and authorities of data breaches but allows each state to decide how their citizens' personal data should be safeguarded?
Please share your answers in the box below.