President Obama made headlines recently when he announced that his administration is forging ahead with proposals for cybersecurity legislation. Highlighted among his priorities are data security, privacy, and identity theft. One particular bill, the Personal Data Notification and Protection Act, would standardize requirements for how businesses must notify consumers when their personal information is exposed by a data breach.
Federal laws related to cybersecurity are mostly sector-specific, meaning they apply only to a particular industry. For example, laws such as GLBA and HIPAA govern requirements for financial services and healthcare, respectively. In 2003, Sen. Dianne Feinstein (D-CA) introduced the first federal data breach notification bill, which would apply across all industries, and countless bills have been introduced since. None have passed. Following President Obama’s statement, Senator Feinstein released a statement in support, stressing that “in just the last 18 months, many millions of Americans have had data stolen in hacks of Target, Neiman Marcus, Home Depot, Sony, JP Morgan Chase and other companies. Cyberattacks cost the economy hundreds of billions of dollars a year, and this will only get worse. Congress must take steps to minimize the damage.”
Currently, 47 states have breach notification statutes on the books but each contain different provisions. For example, many states have personalized definitions of what constitutes PII, or Personally Identifying Information. All states include such things as name, Social Security number, driver’s license, and credit card information, but definitions vary wildly beyond these items. Some add biometric data, such an individual’s fingerprint or retinal scan, and others include employee identification numbers, health insurance numbers, or medical information. Businesses have been clamoring for the federal government to standardize notification requirements for quite a while, complaining that the cost of complying with the patchwork of laws across the states is an unfair burden on their costs of operation.
Over the years, countless bills have been introduced into Congress, only to die in committee or fail to pass the floor vote. One major reason for this is the preemptive nature of the federal legislation. Preemption means the federal law supersedes all existing state laws. Due to the Supremacy Clause in Article Six of the Constitution, when state law and federal law are in conflict, federal law wins. Hence, if a state has a breach notification law on the books and a federal statute is enacted, the state law becomes null and void.
Most analysts expect this legislation to fail—as have previous incarnations—and the primary reason is the pressure involved with preempting state laws. These laws differ not only as to which kinds of personal information are covered, but on many other aspects as well, including which events would trigger notification of a breach, which other parties should be notified, and whether consumers have the right to sue.
Partisan polarization is an oft-touted scapegoat for gridlock and legislative failure, but in this case partisanship is not actually the problem. The fact of the matter is that members of Congress represent the citizens of their state as well as the nation as a whole. Many are hesitant to vote for a federal law that would undercut the protections their constituents support back home. Others are unhappy with a bill that is more expansive than their state’s own law. For this reason, Republican control of Congress doesn’t make the bill’s outlook any more optimistic.Last year alone five new breach notification bills were introduced and died in the Senate, most of them barely altered revivals of previous failed proposals. Although this new bill remains unlikely to pass, there are attempts at compromise. During a House Energy & Commerce subcommittee hearing on Capitol Hill last month, Rep. Peter Welch (D-VT) suggested that a strong data security standard might alleviate concerns over preemption. He appealed to the panelists, “I favor non-preemption, but if we get the right standard, can we have preemption?”