Target, Home Depot, Anthem, and Neiman Marcus are but a few of the major companies that have recently made headlines for large-scale data breaches involving the personal information of millions of consumers. Though unique in their scale, these high-profile security breaches are, unfortunately, no longer an anomaly. The frequency and magnitude of data breaches continue to increase. In response, most states have enacted data breach notification laws that prescribe procedures for businesses to notify consumers about significant disclosures of sensitive personal information. The result has been a patchwork of conflicting state laws that make compliance costly for businesses operating across multiple states. Previous efforts at enacting federal legislation to supersede state notification laws have repeatedly stalled. However, a recent proposal by President Barack Obama appears to have reinvigorated efforts to enact a national data breach notification standard, and congressional hearings to develop a federal statute are already underway. Although the enactment of a federal notification standard has the potential to alleviate the burden of regulatory compliance for national businesses, the extent to which it does so will depend on whether the federal legislation preempts state notification laws or forecloses enforcement under other applicable state statutes.
State Notification Statutes
To date, 47 states have enacted data breach notification laws.1 Only three states have yet to enact notification statutes: Alabama, New Mexico, and South Dakota.2 Most state notification laws follow the same general structure and require businesses to provide prompt notice of a security breach to affected individuals and often the state attorney general, a designated state agency, or consumer reporting agencies. However, there is significant variation among the state laws. Under California’s data breach law, which has served as the model for several other states, businesses must notify individuals of any breach of unencrypted personal data “in the most expedient time possible and without unreasonable delay.”3 Other states impose a specific time frame and require notice to be made within 30 to 45 days.4 Notably, not all data breaches trigger state notification requirements.
In the aftermath of recent large-scale breaches, states have rushed to further tighten existing requirements. Legislators in Target’s home state of Minnesota, for instance, proposed an amendment that would have required businesses to provide notice within 48 hours of discovery of a security breach and to reimburse customers for any fraudulent expenses incurred as a result of a breach.5 Florida successfully shortened its notification period from 456 days to 30 days.7 And, in New York, Attorney General Eric Schneiderman is currently backing legislation that would broaden the definition of “personal information” under the state’s data breach notification statute.8
For years, many have called for federal legislation to replace incongruous state laws with a national notification standard. A federal data breach notification statute would not only give national businesses a uniform set of requirements to follow, thereby making compliance easier and less expensive, but it would also extend federal protection to individuals in the three remaining states without data breach statutes. Despite the advantages of federal legislation, attempts at enacting federal legislation have been controversial, particularly with respect to the issue of federal preemption of state law. For example, state attorneys general, who are often empowered by state data breach notification laws, have resisted legislation that would preempt stringent state notification requirements.9
Since 2013, federal lawmakers have unsuccessfully introduced at least five proposals for data breach notification legislation that would have preempted state law. Bills proposed by Senator Patrick Leahy,10 Senator Jay Rockefeller,11 and Senator Richard Blumenthal12 would have preempted state data breach notification laws while granting enforcement authority to state attorneys general. A bill by Senator Pat Toomey would have gone a step further to preempt not only data breach notification laws but also any law pertaining to the security of personal data.13 Meanwhile, a bill by Senator Tom Carper would have preempted all state action, including any notification laws as well as any law intended to protect the security of consumer data, safeguard data from misuse, or mitigate the harm resulting from security breaches.14 To date, none of the five bills has been reported out of committee.
President Obama’s Proposal
After years of failed proposals, however, there appears to be new momentum to enact a comprehensive federal data breach statute. On January 13, 2015, President Obama announced a proposal for federal data breach legislation that largely draws upon previous legislative proposals. Under the Personal Data Notification & Protection Act, business entities that store “sensitive personally identifiable information” of more than 10,000 individuals would be required to provide notification of security breaches without “unreasonable delay,” currently defined as fewer than 30 days.15 Businesses would be able to delay notice to affected individuals if they were able to prove that additional time is “reasonably necessary” to assess the scope of the breach or prevent additional disclosures.16 In addition to providing notice to affected consumers, business entities would be required to provide notice to an agency to be designated by the Secretary of Homeland Security when more than 5,000 individuals are affected by any particular breach.17 The law would also provide several exemptions to the notice requirement. Under the national security and law enforcement exemption, no notice would be required if the Secret Service or FBI determine that notification might “reveal sensitive sources” or the FBI determines that providing notice “could be expected to cause damage to the national security.”18 Under the safe harbor provision, a business would be exempt from providing notice if it conducts a risk assessment and determines there is “no reasonable risk that a security breach has resulted in, or will result in, harm to affected individuals.”19 Finally, under the financial fraud prevention exemption, a business would be exempt if it utilizes a security program that “effectively blocks the use of sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual.”20
As the proposal progresses through the House and Senate, amendments to two key provisions will be of particular importance to businesses that engage in interstate commerce: the 30-day notification requirement and the state law preemption provision. The 30-day notification requirement has been criticized because it imposes a stricter time frame than most state statutes and because it would limit the amount of time available for businesses to investigate a breach. As currently formulated, the federal statute would supersede any state law “relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data.”21 The law would also grant state attorneys general authority to bring suit to enjoin any practice that does not comply with federal requirements, to enforce compliance, and to impose penalties of up to $1,000 per day per violation.22 However, the preemption provision has already been the subject of much debate and may be amended in an effort to build consensus in favor of the legislation. At a recent hearing held by the Commerce, Manufacturing, and Trade Subcommittee of the House Committee on Energy and Commerce to discuss the elements of a federal data breach statute, the question of federal preemption was a central point of disagreement.23 Therefore, although President Obama’s proposal provides a template for a future federal statute, the details of the notification requirement and the extent to which the legislation would preempt state data breach notification laws remains unclear. We will continue to monitor the progress of President Obama’s proposal for a federal data breach notification law and will provide updates as to its status and these open issues.