Thank you for sharing!

Your article was successfully shared with the contacts you provided.
WASHINGTON � In the past year, state legislatures have leapt ahead of Congress in enacting laws to notify and protect consumers whose personal data, held by businesses and other entities, have been stolen. But now the states are worried about being victims of their own success. Just before leaving town for its August recess, the U.S. House of Representatives delayed an anticipated vote on federal legislation, heavily favored by industry, that would pre-empt state data-breach notification laws, set a national notification standard and remove state attorneys general from the enforcement picture. There is “absolutely” no need for federal legislation now, said Edmund Mierzwinski, director of consumer programs for U.S. Public Interest Research Group (U.S. PIRG), which, along with Consumers Union, Privacy Rights Clearinghouse and other groups, has been mining the data-security issue in Congress and in the states. “The states have solved the problem and we have constructive compliance nationally with the strongest state laws,” he said. “Industry seeks to pre-empt not for uniformity. What they seek is very weak uniformity as well as pre-emption. They’re trying to undercut the best of the state laws.” But the need for federal legislation is “really critical,” countered Lisa Sotto, chairwoman of the privacy and information management practice in the New York office of Richmond, Va.’s Hunton & Williams. “Right now there are 34 data breach laws; 32 impact companies other than data brokers [buyers and sellers of data] and governments,” she said. “It changes daily. Interpreting these laws is a nightmare. You need outside counsel. It’s very complex.” Final action on the House bill, which is considered by consumer groups to be the worst of a spate of data-security bills and yet largely favored by business, fell apart at the last moment because of a jurisdictional dispute between two House committees with oversight of the issue. Whether any federal bill can pass in the time remaining in the current session is uncertain, agreed supporters and opponents. “The only way this gets done is to put together a single, comprehensive vehicle that can be moved. We came close in the House [a week ago],” said Michael Zaneis, a lobbyist on technology issues for the U.S. Chamber of Commerce. There is “tremendous pressure” from industry to pass a law, said U.S. PIRG’s Mierzwinski. “I’m doing my best to kill it. The pressure will only increase in the fall.” FOCUSED ON BREACHES The problem of data-security breaches drew national attention more than a year ago primarily because of ChoicePoint Inc., a company that collects personal and financial information on millions of consumers. In February 2005, ChoicePoint reported that because of a security breach it had sold the personal information of about 145,000 people to a criminal enterprise. The company disclosed that breach only to California residents because of California’s Notice of Security Breach law, which was enacted in 2002 and took effect in 2003. Since then, of course, there have been other reported data breaches, including last spring’s report by the U.S. Department of Veterans Affairs that a laptop containing the Social Security numbers of an estimated 26.5 million veterans had been stolen in a burglary. But the ChoicePoint breach served as the catalyst for action by many state legislatures, and the California law became their model law. In the past year alone, legislation was introduced in at least 28 states, according to the National Conference of State Legislatures. The states have been addressing the problem essentially in two ways: enacting notification laws that require companies and other entities (often government agencies) to inform consumers when data are lost, and enacting credit report freeze laws. Under the credit report freeze laws, consumers basically put their credit reports in a “freezer” whenever they are not in the market for new credit. These laws are aimed at identity thieves who may have someone’s name and Social Security number and attempt to get credit using them. Only the true consumer, under the law, has the ability to “unfreeze” his or her credit report. Twenty states have enacted such freeze laws, including California. An additional five states give this option only to identity-theft victims. Delaware, the home state of the banks, has passed one of the strongest credit report freeze laws in the country, noted Mierzwinski. The Delaware law, effective in 2008, gives consumers the right to unfreeze their credit reports in 15 minutes. “When the report is frozen, no new credit applications can be accessed,” he said. “Old creditors can check to see if you’ve become a problem, but new credit applications are blocked. Credit bureaus don’t like the idea because they would have to hire real people.” The state security-breach notification laws are generally very similar in what they require, according to the National Association of Attorneys General, the NCSL and consumer groups. The majority of states that have enacted those laws trigger notice to consumers when personal information, whether in electronic or paper form, was acquired or accessed � or believed to have been � by an unauthorized person. But lawyers, like Hunton & Williams’ Sotto, who assist companies responding to security breaches don’t find the state laws particularly consistent or benign. “They are not harmonized,” said Sotto. “Although the gist is the same � if there is an event, you need to notify the individuals who are subjects of the event � the laws differ in some very significant ways.” For example, she explained, the definition of personal information varies under the laws. Some state laws cover personal information such as name, Social Security number and driver’s license number. Others add to those items bank account numbers, credit card numbers and PIN numbers, date of birth, employer ID number and mother’s maiden name. Some state laws apply only to information in paper records, she added, while others apply to computerized information. They also vary as to who besides consumers must be notified. What triggers notice also varies widely, said Sotto. “In many states, a majority, you notify when there is a reasonable belief that data has been acquired by an unauthorized person,” she explained. “But some states use the word ‘accessed.’ Some states have a harm threshold � there is a reasonable likelihood of harm � and that is always in different verbiage. “It’s not only maddening to the company dealing with the security event, but it’s shifting resources from dealing with the problem to how to figure out how to comply with 30-plus different laws,” said Sotto. PATCHWORK OF LAWS But not all of industry sees a problem with the states’ patchwork of laws in this area. Emily Hackett, executive director of the Internet Alliance, which represents Internet companies in 50 states, said: “The security-breach laws right now are not overly burdensome or overly complicated. The industry is not having a hard time complying. There have been a lot of them. But I don’t think it’s ripe for federal legislation.” Hackett noted that the states were well ahead of the federal government in enacting anti-spam legislation. Congress did not act until California was perceived as overreaching, she said. But with security-breach laws, she said, “The states are asking industry to be careful, to be transparent.” Patchwork state laws are simply “what states do,” she said, adding, “If they’re too contradictory, then act, but these all follow a similar pattern. California passed its law. If we can keep things within that range, then we’re doing pretty well. No one’s freaking out.” Although Hackett thinks that the issue is not ripe for federal legislation, she said she would not be surprised to see Congress act. At least a dozen bills have been introduced in the House and Senate to deal with aspects of security breaches and identity theft. But the key issues � or sticking points common to all � include: What types of data breaches should trigger notice to consumers? Any unauthorized disclosure or only those disclosures of information that could lead to harm, such as identity theft? If there is a national notification standard, which federal agency should enforce it? Should all state laws be pre-empted? Will state attorneys general continue to play a role in investigating security breaches and enforcing related consumer laws? Should data brokers such as ChoicePoint come under federal regulation? State laws should not be pre-empted because some may offer more consumer protections and more options for redress than any federal law enacted, said Jeremy Meadows of the National Conference of State Legislatures. The NCSL typically does not oppose minimum standards set by Congress in any number of areas. “But we definitely don’t want Washington setting a maximum that would cap the states’ creativity,” said Meadows. The House bill that almost reached a floor vote at the end of last month, H.R. 3997, does cap states’ creativity, he added. “It provides a ceiling rather than a floor. While we don’t like a floor either, it is much more tolerable than a ceiling.” U.S. PIRG, Consumers Union, Privacy Rights Clearinghouse and other consumer groups find nothing tolerable in H.R. 3997. They contend that its notification standard is so high that it amounts to no notice of breaches to consumers. They also contend that it pre-empts all state laws, fails to regulate data brokers, eliminates state attorneys general from enforcement efforts in this area, and rolls back protections under other federal privacy laws. Playing the admitted “contrarian,” Albert Gidari, a partner in the privacy and security group of Seattle’s Perkins Coie, said that there is no empirical evidence that notice of data breaches helps consumers. “Notice vindicates no rights whatsoever and, personally, I think it scares them to death with no discernible benefit,” said Gidari. The only real damage of a breach is if somebody is able to open an account in the consumer’s name, he added. That is easily solved by requiring those companies that extend credit to know to whom they are extending it, he said, and to allow people to clear their names if identity theft happens. “Based on my experience dealing with more than 20 cases of breach in companies, the state and national approach is not the right one,” added Gidari. “But if an approach has to be made, it should be national. We live in a globalized information world. It’s time for states to stop thinking California’s need for protection is greater than North Dakota’s.” Marcia Coyle is a reporter with The National Law Journal, a Recorder affiliate based in New York City.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.