High Priority: A federal data breach notification law

By Jeffrey Douglas on December 2, 2014

Every day seems to bring word of a new data breach and, given the stakes, it would be easy to assume that dealing with the damage the breaches cause would be a top government priority. Unfortunately, a myriad of conflicting state laws, as well as the lack of one overarching federal law, creates legal and compliance nightmares for companies and consumers alike.

For example, in late February and early March 2014, hackers successfully targeted eBay’s corporate network. They accessed the personal information of up to 145 million customers, including encrypted passwords, addresses and birtebayh dates. But eBay allegedly did not immediately alert its customers and, when this became known, the company endured substantial public criticism. It’s now facing a possibleebay class action lawsuit–Green v. eBay. Count Nine of the suit, “Violation of Multi-State Privacy Laws,” alleges eBay violated the data-protection laws of 47 states and four US territories. State attorneys general from Florida, Connecticut and Illinois also announced investigations into whether the breach violated state law.

Situations such as this make clear that there is a pressing need to simplify data-breach laws. Congress should enact a single federal statute that preempts the proliferating and constantly changing state laws, and provides uniformity and predictability to this emerging and important area of law.

Privacy and Protection

Congress has already addressed the personal-data privacy question, except for data protection and breach notification standards. Laws designed to protect the privacy of personal information generally can be grouped into three categories:

  • Many federal laws prohibit unauthorized access or collection of private information, including hacking. This extensive body of federal law includes the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act of 1986 and the Children’s Online Privacy Protection Act of 1998.
  • Federal laws govern the voluntary disclosure and sale of personal information that was lawfully collected, such as by online retailers. This is governed by, among other federal statutes, the Privacy Act of 1974, the Federal Trade Commission Act of 1914, the Video Privacy Protection Act of 1988 and the Fair Credit Reporting Act of 1971/1999.
  • State laws impose data security and notification obligations on organizations that handle private personal information. The purpose of these laws is to minimize the risk that data security is compromised, and to minimize the harm from any breach.

Importantly, no overarching federal statutes govern this third category. Federal law provides anti-breach standards for a handful of specific industries and entities: financial services, health care and the federal government itself. But for most companies that handle personal information, including retailers and social media providers, there is no uniform standard for the appropriate response in the event of a data breach.

 The Patchwork of State Laws

In the absence of a uniform federal standard, most states have created their own legislation. In 2002, California became the first state to require notification of a breach of personal information. Today, every state except Alabama, New Mexico and South Dakota has laws. Not surprisingly, this has resulted in a patchwork of state laws that sometimes conflict.

For example, most state data-breach laws define protected personal information as including some combination of an individual’s first name or first initial and last name, Social Security number, driver’s license number or state-issued ID card number, and account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account.

But there are variations:

  • Georgia’s definition includes any of this information if the combination “would be sufficient to attempt to perform identity theft using that information.”
  • Iowa includes “unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.”
  • In North Dakota, protected information includes “the individual’s date of birth; the maiden name of the individual’s mother; medical information; health insurance information; an identification number assigned to the individual by the individual’s employer; or the individual’s digitized or other electronic signature.”

Most state breach-notification statutes are broad enough to govern the activity of any entity that owns or maintains personal information. But Wisconsin’s law only applies to institutions and businesses. Georgia’s law applies to professional “information brokers” and certain state or local agency or subdivisions, including public universities, that qualify as “data collectors.”

In some states, any unauthorized access to information triggers a notification requirement, even if circumstances suggest it will not be, or has not been, used for identity theft. States following this rule include California, Illinois, New York and Texas. In contrast, Connecticut, Florida, Ohio and Wisconsin require notification only when the breach of personal information presents a material risk of harm to the victims.

While many state laws allow affected organizations to determine the content of consumer notifications in the event of a breach, some states have their own unique requirements. These typically require, at a minimum, that the notice describe the breach in general terms and the type of sensitive information compromised.

  • In Illinois, however, notice must not “include information concerning the number of Illinois residents affected.”
  • Hawaii additionally requires that notice contain “advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.”
  • Iowa requires that consumers be advised to “report suspected incidents of identity theft to local law enforcement or the Attorney General.”
  • Wyoming mandates that notice “shall include a toll free number that the individual may use to contact the person collecting the data” in order to collect “the toll free contact telephone numbers and addresses for the major credit reporting agencies.”
  • Puerto Rico requires both a toll free number and an Internet site.

State requirements about the form of notice are equally diverse and can also depend on the cost or number of notices involved.

The majority of states provide a qualitative (and ambiguous) requirement for how soon disclosure must be made: generally, disclosure must be made as quickly as possible, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

Some states require that notice always be given to the state’s attorney general or consumer reporting agency when notice is given to consumers, while others do not require any such notice. The rest require notice only if a certain number of state residents are affected. (That number can be 500, 1,000 or 10,000.)

Some states impose affirmative data security standards upon owners of personal information. Most commonly, states simply require these entities to take “reasonable measures” to protect and secure personal information in electronic form. But Massachusetts, by regulation, imposes a duty to maintain a written and “comprehensive” information security program. California further requires that businesses that disclose personal information to any third party obtain contractual assurance that the third party will itself implement reasonable security procedures.

capitol200x200Uncertainty, Expense and the Impossibility of Compliance

Congress should enact data security and notification legislation, and likely could rely on the Commerce Clause as a constitutional basis for doing so, given that most data breaches involve interstate commerce. This would also likely allow such legislation to preempt state data security and notification laws.

This uniform federal data breach legislation should resolve at least three major problems: significant uncertainty, estimating the expense of notifying consumers, and the fact that it may be impossible to comply with conflicting state laws.

As for compliance, when a company with a nationwide customer base experiences a data breach, it faces the difficult task of complying with the diverse laws of 47 states. But it may be impossible to follow the law of one state without violating the law of another. For example, notification to Massachusetts residents cannot describe the nature of the breach or the number of state residents affected. But in Florida, describing the nature of the breach is a requirement. If the affected company has access to contact information for those receiving notification, two separate notices can be provided. But if not, and publication is the only way to provide sufficient notice, it could be impossible to meet Florida’s requirements without running afoul of Massachusetts law (and vice versa).

Keeping up with various state laws comes at a steep cost. According to the Ponemon Institute, which releases an annual report on the cost of data-breach incidents, the average cost to a US company for a data breach increased to $5.9 million in 2014, up from $5.4 million last year, and the average cost for each lost or stolen record containing confidential information increased from $188 to $201. Of this, post-breach notification costs averaged approximately $500,000, or one-tenth of the total cost. These substantial notification costs can undoubtedly be reduced with a single federal standard that makes notification simple and predictable for businesses and consumers nationwide.

State laws that mandate rapid notification are a significant cause of increasing costs. The Ponemon study found that organizations that notified customers “too quickly,” without a thorough assessment or forensic examination, incurred an average cost increase of $15 more per record. These costs are likely to have significant consequences in the context of data security. Rather than focusing on data security and response readiness, businesses will inevitably expend significant resources trying to comply with the myriad state laws. Plus, state laws are continually changing, which compounds the problem: Changes to California, Florida, Kentucky and Iowa laws all took effect in 2014.

A single federal standard would simplify data security preparation, present industry with clear notice obligations in the event of a breach, and reduce the likelihood of unnecessarily complex litigation.

A uniform federal standard would also benefit consumers by removing ambiguities regarding jurisdiction. Several states, attempting to lessen the burden of compliance, deem a business to be in compliance with data privacy laws if it complies with the laws of its “primary or functional” state, even though several locations could qualify as such. This results in the consumer not being able to rely on the laws of his or her own state, instead hoping the entity storing sensitive personal information is subject to a state with adequate legal standards.

Congressional Options

A number of relevant bills have been introduced in both the Senate and House of Representatives.

Several create comprehensive data-security laws. For instance, the proposed Personal Data Protection and Breach Accountability Act would require regulated businesses to develop broad security measures. A compliant plan must assess risks of future security breaches and develop a program to control those risks, ensure adequate employee training on data security, ensure regular testing of the security system, and monitor and adjust the program. In the event of a breach, businesses must notify affected consumers and provide them a free credit report for a two-year period.

Other proposed laws that similarly seek to establish comprehensive rules on data security and notification requirements include the Personal Data Privacy and Security Act and the Commercial Privacy Bill of Rights Act. Additional options include the Data Security and Breach Notification Act, the Data Security Act, and the Secure and Fortify Electronic Data Act (“SAFE Data Act”).

Where the proposed laws differ is in the details, such as the definition of a covered entity.

Unfortunately, these proposed statutes remain in the committee stage of the legislative process, and lobbying groups have fought over features of the proposed bills.

President Obama recently called on Congress to enact a “national standard that brings certainty to businesses and keeps consumers safe” and that would preempt the “current patchwork of laws.”

To help break the logjam, Congress could consider enacting data-breach legislation that shifts the burden of fashioning details to regulators. Several of the proposed bills–including the Data Security and Breach Notification Act and the SAFE Data Act–call on the Federal Trade Commission to promulgate regulations on data security and notification. If Congress cannot agree on the minutia, delegation may be a viable solution.



Jeff Douglass is a partner in both the Litigation and Data Security and Breach practices at Morris, Manning & Martin. Ryan Burke and Sam VanVolkenburgh are associates at the firm.