Federal data breach notification standard must pre-empt state laws

Two Senate measures would regulate how both public and private sector organizations protect personal information and respond to data breaches, but the real impact of any federal standards will depend on whether they pre-empt existing state laws.

The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.

Both bills cleared the Senate Judiciary Committee and have been placed on the calendar for consideration by the full Senate.

State and federal measures stem from numerous high-profile data breaches in recent years, including the exposure of the personal information of 26.5 million veterans in 2006, after a laptop was stolen from a contractor's home. The fear in such instances is that personal information will be used for identity theft or financial fraud.

"A federal breach notification law would force management to put budget and controls in place" in both government and industry, said Phil Neray, vice president of strategy at database security company Guardium. "Most organizations are driven by what they have to do, not what they should do."

The Office of Management and Budget requires federal agencies to notify individuals in the event of a breach of their personal information. But a patchwork of state laws dictate how other public and private organizations should handle breaches of sensitive information. Forty-seven states plus the District of Columbia, New York City and Puerto Rico have their own laws, which vary widely.

Two states are credited for having breach notification laws with the most teeth, said Peter McLaughlin, senior counsel with Foley & Lardner LLP and a member of the law firm's privacy, security and information management practice. Foley & Lardner released a report on Monday that provides in-depth coverage of all major aspects of U.S. and international security breach laws.

California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases has been accessed by someone who isn't authorized to view it. It's also one of only a handful of states that incorporated a broader definition of personal information into legislation that includes not only name, Social Security number, driver's license number and financial data, but also health information, which hackers can use to file fraudulent insurance claims or acquire prescription medications to sell on the black market.

"The vast majority of state laws focus on identity theft, but California expanded the scope of its law significantly to include any number of hospitals and health care providers and even worker's compensation organizations -- both private and public -- that maintain health information," McLaughlin said. "I suspect this will be the beginning of a trend."

Massachusetts also included as a supplement to its 2007 data breach notification law (MGL Chapter 93H) a series of data security requirements that government and industry must follow to protect the personal information of state residents. Among the requirements, which go into effect in March 2010, are encryption of laptops and portable devices and security training programs.

"This is among the only states that go into this level of prescriptive detail," McLaughlin said.

Furthermore, like most state data breach laws, the Massachusetts regulation "knows no geographic boundaries," so any company that maintains personal information of a Massachusetts resident must comply with the law -- regardless of where the company is located, McLaughlin said.

This is a good example of why a federal standard is needed, Neray said.

"Most organizations are national and international. To have to hire lawyers to study differences in the laws and define what they have to do in each state doesn't make sense from a cost or efficiency point of view," he said. "I'd hope any federal regulation would pre-empt state laws, because it would be the more business friendly approach. You can argue about how much regulation should be imposed on businesses, but this is not a value-based issue, it's a national issue."

McLaughlin agreed. "It's not a productive use of time to try to develop a series of diverse responses to the same situation," he said. But the perennial question of pre-emption is the challenge. My sense is that states tend to have the perspective of 'we'll do it on our own, thank you very much,' but I'm not a policy person."