In two decades practicing law – with a majority focus in the information security industry – I’ve had a front row seat to the meteoric rise in the public discourse on privacy and data loss. Now as a Certified Information Privacy Professional (CIPP) and General Counsel of a company that navigates state breach notice laws, a plethora of sector based federal breach notice laws, and a host of international breach notice laws, I’ve moved in many ways from the front row and into the ring.
In my role, I am asked many questions about everything from the machinations of Federal privacy regulation, to what individual citizens should do to protect their Personally Identifiable Information (PII.) It’s a complex and compelling area of law and business that I will be covering in this space on an ongoing basis.
With recent discussions of Executive Orders and Cyberwar, a good place to begin might be to start at the top. Specifically, the question of whether or not the Federal Government will pass a comprehensive data breach notification law that supersedes all the state laws.
While I don’t rule out a federal law passing at some point, I see it setting a floor of breach response responsibility rather than superseding everything already in place. To understand the hurdles for Federal pre-emption we will look at what these different breach notice laws say, the political challenge with Federal pre-emption, and why disparate state breach laws are not a problem worth solving.
Data breach notification laws are generally laid out like this: What is personal information, what is a breach, who do you have to tell, and what happens if you don’t.
What is personal information?
The laws start with a definition of the information the law pertains to. Generally in the U.S., that means a name and identifying information that could lead to identity theft or bank fraud - like a social security number or a credit card number.
Many breach notice laws in the US are focused on financial loss because they were companion bills to identity theft bills. But states differ in the definitions of personal information. Some have additional identifiers like tribal ID (if you belong to a Native American tribe) that can trigger the definition. One state includes email addresses in its definition. Some have a long list of identifiers while others stick to a short list. Point being, states have decided that different forms of info are worthy of protection based on the nature of people in that state and their priorities.
What is a breach?
Laws then describe what a breach is. This description is where you find “outs” to notification. For example, if the information was encrypted and the bad guys didn’t get the key, or the loss is unlikely to result in harm to anyone because while you lost it you got the info back from someone you trust didn’t give a copy to someone else. (The legal topic of measuring “harm” is a rich one and likely warrant its own column down the line) But some states just have an out for no likelihood of financial harm meaning that a loss in that state that could result in humiliation or other non-financial harm doesn’t qualify for the out.
Who do you have to tell?
Next, the law that tells you what to do. In the U.S., they all say you have to give the folks whose info was lost a heads up so they can try and protect their credit and bank accounts. Some say you have to give your state attorney general or federal regulator notice of the loss. And others say you also have to alert the media and credit reporting agencies.
What happens if you don’t?
Some US laws are explicit about the financial penalty for not providing notice. They give a per-person amount so the larger the loss the higher the fine. And many have a cap on the total fine for an individual breach. But these amounts vary widely. Per violation amounts range from $100 to $25,000 and caps go from $10,000 to $750,000. This is obviously an enormous difference.
So with a little knowledge of how current laws work in the US, put yourself in the shoes of a legislator trying to harmonize all the different state laws. That legislator is going to have three big political challenges.
The first challenge is choosing a single standard when states differ so. Changing the rules in dozens of states will cause upheaval with political fallout.
The second challenge will be dealing with state attorneys general and treasurers. State AG’s are becoming more and more active in tracking breaches and cracking down on companies that don’t provide proper notice or have adequate security procedures. Part of that crackdown includes fines collected that go to the state treasury. A federal law will strip those AGs of the rule of privacy protectors and redirect funds to the federal government and away from the states.
The third challenge is that some states go above even Federal notice requirements, For example, California has a health care notice statute that doesn’t provide an out for encrypted data like HIPAA/HITECH does. Virginia’s health care notice statute provides for criminal penalties. What legislator wants to be known as the one who diluted people’s privacy rights by pre-empting strong protections and replacing them with weaker ones?
When trying to solve a problem, the first thing I ask is if I’m dealing with a problem worth solving. Privacy professionals and law firms have become well versed in the different state laws. Solutions also exist that track all the different laws and provide incident response plans that are easy to follow. If the problem here is the complexity involved in dealing with disparate state breach notice laws, then we don’t have a problem worth solving.
The reasons for the disparities in state breach notification laws are the strength of a federation of states. The citizens of different states with different priorities and beliefs have the power to elect representatives who create law reflecting the mores of their respective states. While some may refer to federal pre-emptions as an act of harmonization, others will see it as a federal government willing to ignore the laws and desires of the states.
The legislator who takes on the task to pre-empt a multitude of state laws is sure to create a multitude of folks displeased with their wills being ignored.