In the wake of recent, large-scale data breaches, several pieces of legislation have been introduced in Congress to establish a national data breach notification law, including a House bill that would preempt the current “patchwork” of laws with a single, national protection and notification standard.  A group of 47 state attorneys general objected to the possibility of federal preemption of state data breach notification laws in a letter sent to congressional leaders last week.

In the letter, the National Association of Attorneys General asks that any federal data breach notification law not preempt similar state laws already in place.  The attorneys general cite a similar letter in 2005 that argued preemption “interferes with state legislatures’ democratic role as laboratories of innovation.  The states have been able to respond more quickly to concerns about privacy and identity theft involving personal information and have enacted laws in these areas years before the federal government.”

The state attorneys general highlight the “important role states already play protecting consumers from data breaches and identity theft,” calling legislation passed by states “innovative.”  The attorneys general also note that several states in recent years have enhanced breach notification laws with additional protections, including requiring notification for compromised biometric data, login credentials for online accounts, and login credentials for medical information.  They wrote, “[o]ur constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns.  Toward that end, it is important that any federal legislation ensure that states can continue to enforce breach notification requirements under their own state laws.”

Further, the attorneys general point out, states are on the “front line[s] in helping consumers” following a data breach.  The states also investigate breaches and monitor businesses’ compliance with state regulations to have reasonable security practices and notify consumers when a breach occurs.  Many state data breach notification statutes require data collectors experiencing breaches to directly notify the attorneys general in states where the affected consumers reside. 

The attorneys general state that they recognize “the need to work together at the state level” and, as a result, 40 states assess data security matters as a working group.  The working group evaluates breaches impacting consumers in multiple states.  The letter also argues against federal enforcement and regulatory authority regarding data breaches.  Rather, the attorneys general believe that “[t]oo many breaches occur for any one [federal] agency to respond effectively to all of them,” and “[s]tate attorneys general must have the authority to investigate such breaches.”  However, even if Congress chooses not to preempt state data breach laws expressly, federal legislation could impliedly preempt related state laws to the extent those laws frustrate Congress’ purpose in adopting a federal minimum standard to govern data breach issues.

Many consider the matrix of state laws in this area to be confusing and a barrier to a streamlined notification process that a uniform federal standard might bring.  For example, the breach notification law in New Jersey requires notification to a state agency before notification is made to affected individuals, while other states do not have such a requirement.  In addition, many state laws have a “risk of harm” trigger; that is, a provision that says, in essence, notification is not required if there is not a significant risk of harm to the affected persons.  However, the language in these provisions can vary, which places an additional burden on companies in the event of a multi-state breach.