recommended reading

Federal data breach notification standard must pre-empt state laws

Two Senate measures would regulate how both public and private sector organizations protect personal information and respond to data breaches, but the real impact of any federal standards will depend on whether they pre-empt existing state laws.

The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.

Both bills cleared the Senate Judiciary Committee and have been placed on the calendar for consideration by the full Senate.

State and federal measures stem from numerous high-profile data breaches in recent years, including the exposure of the personal information of 26.5 million veterans in 2006, after a laptop was stolen from a contractor's home. The fear in such instances is that personal information will be used for identity theft or financial fraud.

"A federal breach notification law would force management to put budget and controls in place" in both government and industry, said Phil Neray, vice president of strategy at database security company Guardium. "Most organizations are driven by what they have to do, not what they should do."

The Office of Management and Budget requires federal agencies to notify individuals in the event of a breach of their personal information. But a patchwork of state laws dictate how other public and private organizations should handle breaches of sensitive information. Forty-seven states plus the District of Columbia, New York City and Puerto Rico have their own laws, which vary widely.

Two states are credited for having breach notification laws with the most teeth, said Peter McLaughlin, senior counsel with Foley & Lardner LLP and a member of the law firm's privacy, security and information management practice. Foley & Lardner released a report on Monday that provides in-depth coverage of all major aspects of U.S. and international security breach laws.

California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases has been accessed by someone who isn't authorized to view it. It's also one of only a handful of states that incorporated a broader definition of personal information into legislation that includes not only name, Social Security number, driver's license number and financial data, but also health information, which hackers can use to file fraudulent insurance claims or acquire prescription medications to sell on the black market.

"The vast majority of state laws focus on identity theft, but California expanded the scope of its law significantly to include any number of hospitals and health care providers and even worker's compensation organizations -- both private and public -- that maintain health information," McLaughlin said. "I suspect this will be the beginning of a trend."

Massachusetts also included as a supplement to its 2007 data breach notification law (MGL Chapter 93H) a series of data security requirements that government and industry must follow to protect the personal information of state residents. Among the requirements, which go into effect in March 2010, are encryption of laptops and portable devices and security training programs.

"This is among the only states that go into this level of prescriptive detail," McLaughlin said.

Furthermore, like most state data breach laws, the Massachusetts regulation "knows no geographic boundaries," so any company that maintains personal information of a Massachusetts resident must comply with the law -- regardless of where the company is located, McLaughlin said.

This is a good example of why a federal standard is needed, Neray said.

"Most organizations are national and international. To have to hire lawyers to study differences in the laws and define what they have to do in each state doesn't make sense from a cost or efficiency point of view," he said. "I'd hope any federal regulation would pre-empt state laws, because it would be the more business friendly approach. You can argue about how much regulation should be imposed on businesses, but this is not a value-based issue, it's a national issue."

McLaughlin agreed. "It's not a productive use of time to try to develop a series of diverse responses to the same situation," he said. But the perennial question of pre-emption is the challenge. My sense is that states tend to have the perspective of 'we'll do it on our own, thank you very much,' but I'm not a policy person."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.