Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Federal data breach notification law could simplify process

Reprints

A uniform federal law governing notification of data breaches would be welcome, but it should pre-empt related state laws if it is going to be helpful to employers, observers say.

With the exception of Alabama, Kentucky, New Mexico and South Dakota, every state as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands has enacted legislation requiring notification of security breaches involving personal information, according to the Denver-based National Conference of State Legislatures.

On Aug. 31, for instance, California Gov. Jerry Brown signed into law amendments to the state's security breach notification statute that establish new content requirements for breach notification letters to California residents and mandate notification to the state attorney general when a breach affects more than 500 state residents.

Observers say there are no immediate prospects for a federal law, although several bills on the issue have been introduced. They include the Personal Data Protection and Breach Accountability Act of 2011, which was introduced by Sen. Richard Blumenthal, D-Conn., this month. The bill is intended to protect consumers from threats to their sensitive, personally identifiable information online and to safeguard data security. It has been referred to the Senate Judiciary Committee.

In July, the House Energy and Commerce Committee's trade subcommittee approved the Secure and Fortify Electronic Data Act, which was introduced by Rep. Mary Bono Mack, R-Calif., but it has been in committee since.

Observers say both bills include state law pre-emption provisions.

Right now, whenever firms have a breach, they are in the “unenviable position of having to navigate through many state laws,” said Aaron P. Simpson, a partner with law firm Hunton & Williams L.L.P. in New York. A federal law would be “helpful for companies trying to do the right thing.”

Alex Ricardo, New York-based director of breach response services at Beazley Group P.L.C., said a federal law would “streamline the process for interpreting various laws” and make it easier for the covered entities as well as “hopefully make it less expensive.”

Pre-emption, though, is important. The privacy requirements of the federal Gramm-Leach-Bliley Act of 1999, which addresses consumer financial issues, and the Health Insurance Portability and Accountability Act of 1996 “set the floor with respect to privacy in terms of what's required” by companies but do not pre-empt state law, said Laurie Schwarz, senior vp for Lockton Cos. L.L.C.'s global technology and privacy practice in San Francisco. And without pre-emption, “you're still going to have to deal with the patchwork” of state laws.

“It depends on what the federal statute would look like,” said John F. Mullen Sr., an attorney with Nelson, Levine, de Luca & Horst L.L.C. in Blue Bell, Pa., of a federal law. The concern is that states take the position, “You pre-empted this part of our law, but not that part,” he said.

Alan E. Brill, senior managing director for the computer forensics and secure information services practice of New York-based Kroll Inc., said, “It is very difficult now to have different thresholds of what constitutes a breach, and different requirements for notifications. It certainly makes the entire process more complex.”

But at the same time, if certain states require more immediate notification, “What are you going to do, not notify the other people?” asked Mr. Brill. As a result, “I think we see very often there's more uniformity in notification regardless of the laws.”

Lori S. Nugent, a partner with law firm Wilson Elser Moskowitz Edelman & Dicker L.L.P. in Chicago, said she is not sure a federal statute is inevitable. “There has been variation in the effectiveness of regulators addressing” the issue on the federal and state levels, and “I'm not sure when, or whether, the federal government will want to jump into this particular thicket,” she said.