Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

A Civil War Between the States and Federal Government Over One Law for All Breach Notifications

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Unlike other recent Congressional fights, the dispute over a single federal law on how customers should be notified about breaches looks to be less rancorous and more civil. That’s because privacy concerns cut across party and ideological lines, often uniting staunch conservative Republicans with civil libertarian Democrats.

The renewed interest in a federal breach notification law covering all fifty states comes on the heels of the Target, Neiman Marcus and Michaels breaches. And while the same vitriol that was apparent in other Congressional battles may not be present, there is a lot to be considered, including how a federal law would affect state regulations that are already in force.

In her Reuters piece, tech/cyber policy reporter Alina Selyukh writes:

Although federal laws already regulate how specific industries, such as banks and hospitals, handle compromised data security, certain other kinds of companies, including retailers, face no such uniform standard.

Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach.

With that, negotiations over fitting state standards under an umbrella federal law face a tug of war between companies, consumer advocates and state authorities.

Large companies working across state lines argue that state laws present a patchwork of regulations and compliance poses a challenge. Companies often issue one nationwide notice to consumers with state-specific supplements at the end. “Certainly, one standard is easier to follow than 47,” John Mulligan, Target’s chief financial officer, told lawmakers…. The No. 3 U.S. retailer has stores in every U.S. state except Vermont.

The National Retail Federation in a January letter to Congress also restated its decade-old position in favor of a nationwide standard that would pre-empt state rules. “A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live.”.

Some state attorney generals worry above all that federal standards would dilute their power to pursue violators….

“There are 47 state standards, there’s no reason to add a 48th,” said [Representative Lee] Terry, the most prominent Republican leading a legislative effort at this point.

Consumer advocates say that the companies’ call for a single law masks the goal of having a weaker federal standard that would trump stricter laws on the books in states like California and Massachusetts.

“None of the federal proposals are as strong as the strongest state laws and that’s wrong,” said Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group. “I don’t think we need (a federal law) that’s weaker than California’s.”

California was the first state to adopt a data breach law in 2003. After a decade of fine-tuning, it requires a detailed disclosure to consumers “in the most expedient time possible and without unreasonable delay” when personal information, including emails with passwords, is “reasonably believed” to have been stolen.

Though many state requirements are broadly similar, some states, such as Montana and Ohio, require notification only if a breach poses or is believed to pose harm or material risk such as identity theft.

Many states also use more limited definitions of what personal information is included. A common definition includes name combined with the Social Security number, driver’s license number or payment card number together with information needed to access financial records.

Alabama, Kentucky, New Mexico and South Dakota do not have their own data breach notification laws.

By ThreatMetrix Posted