X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
In the past year, state legislatures have leaped ahead of Congress in enacting laws to notify and protect consumers whose personal data, held by businesses and other entities, have been stolen. But now the states are worried about being victims of their own success. In August the U.S. House of Representatives delayed an anticipated vote on federal legislation, heavily favored by industry, that would preempt state data-breach notification laws, set a national notification standard, and remove state attorneys general from the enforcement picture. There is “absolutely” no need for federal legislation now, says Edmund Mierzwinski, director of consumer programs for U.S. Public Interest Research Group, which, along with Consumers Union, Privacy Rights Clearinghouse, and other groups, has been lobbying on the data security issue in Congress and in the states. “The states have solved the problem,” he says. “Industry [is] trying to undercut the best of the state laws.” But the need for federal legislation is critical, counters Lisa Sotto, chairwoman of the privacy and information management practice of Hunton & Williams. “Right now, there are 34 data breach laws,” she says. “It changes daily; interpreting these laws is a nightmare.” Final action on the House bill, which consumer groups consider to be the worst of a spate of data security bills but is largely favored by business, fell apart because of a jurisdictional dispute between two House committees with oversight of the issue. Whether any federal bill can pass in the time remaining in the current session is uncertain, say supporters and opponents. There is tremendous pressure from industry to pass a law, says U.S. PIRG’s Mierzwinski: “I’m doing my best to kill it.” The problem of data security breaches drew national attention more than a year ago, thanks largely to ChoicePoint Inc., a company that collects personal and financial information on millions of consumers. In February 2005 ChoicePoint reported that, as a result of a security breach, it had sold the personal information of about 145,000 people to a criminal enterprise. The company disclosed that breach to California residents because of the state’s Notice of Security Breach law, which took effect in 2003, and said it would notify all affected consumers regardless of residence. There have been other reported data breaches since then, but the ChoicePoint breach served as the catalyst for action by many state legislatures. The California law became their model. In the past year alone, legislation was introduced in at least 28 states, according to the National Conference of State Legislatures. The states have been addressing the problem essentially in two ways: enacting notification laws that require companies and other entities (often government agencies) to inform consumers when data are lost, and enacting credit report freeze laws. Under the credit report freeze laws, consumers basically put their credit reports in a “freezer” whenever they are not in the market for new credit. These laws are aimed at identity thieves who may have someone’s name and Social Security number and attempt to get credit using them. Only the true consumer, under the law, has the ability to “unfreeze” his or her credit report. Twenty states have enacted such freeze laws. An additional five states give this option only to identity-theft victims. Delaware has passed one of the strongest credit report freeze laws in the country, says Mierzwinski. Starting in 2008, the Delaware law will give consumers the right to unfreeze their credit reports in 15 minutes. “When the report is frozen, no new credit applications can be accessed,” he says. The state security-breach notification laws are generally similar in what they require, according to the National Association of Attorneys General, the NCSL, and consumer groups. The majority of states that have enacted those laws trigger notice to consumers when personal information, whether in electronic or paper form, was acquired or accessed � or believed to have been � by an unauthorized person. But lawyers who assist companies responding to security breaches don’t find the state laws particularly consistent or benign. “They are not harmonized,” says Hunton & Williams’s Sotto. “Although the gist is the same . . . the laws differ in some very significant ways.” For example, she says, the definition of personal information varies widely. Some state laws cover name, Social Security, and driver’s license numbers. Others include bank account, credit card, employer ID, and PIN numbers, as well as date of birth and mother’s maiden name. Some state laws apply only to information in paper records, Sotto adds, while others apply to computerized information. They vary as to who must be notified, and which events trigger notice: “It’s not only maddening to the company dealing with the security event, but it’s shifting resources [away] from dealing with the problem.” But not all of industry sees a problem with the states’ patchwork of laws. “The security-breach laws right now are not overly burdensome or complicated,” says Emily Hackett, executive director of the Internet Alliance, which represents companies in all 50 states. “I don’t think it’s ripe for federal legislation.” Hackett notes that the states were well ahead of the federal government in enacting antispam legislation. Congress did not act until California was perceived as overreaching. Patchwork state laws are simply “what states do,” she says. State laws should not be preempted, because some offer more consumer protections and more options for redress than any federal law enacted, argues Jeremy Meadows of the National Conference of State Legislatures. The conference typically does not oppose minimum standards set by Congress. “But we definitely don’t want Washington setting a maximum that would cap the states’ creativity,” he says. But playing the admitted contrarian, Albert Gidari, a partner in the privacy and security group of Perkins Coie, says that there is no evidence that notice of data breaches helps consumers. “It scares them to death with no discernible benefit,” he says. “We live in a globalized information world; it’s time for states to stop thinking California’s need for protection is greater than North Dakota’s.” A version of this article originally appeared in The National Law Journal, a sibling publication of Corporate Counsel.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.