Massive data security breaches at leading U.S. retailers over the holiday season have put the spot light on the lack of a federal data security law and the patchwork of state laws that govern data protection. Efforts in prior years to create a federal standard have not gone far in Congress, notwithstanding that the Obama administration has supported these efforts and there has been bipartisan support. That could conceiveably change given the attention the recent retail industry breaches, that have touched tens of millions of Americans, has garnered. Senators Tom Carper (D-Del) and Roy Blunt (R-Moo) have introduced the 2014 Data Security Act which would require companies that accept credit or debit cards to:
- have data security and breach preparedness plans
- promptly investigate security compromises and remediate security compromises
- notify affected consumers
- notify the federal government
- and, if more than 5,000 consumers are involved, notify credit reporting agencies.
The act would largely preempt the myriad of current state laws on data security and breach notification, creating one national standard. Enforcement would be by federal authorities and there is no private right of action. The Caper/Blunt bill will compete with a recently reintroduced Personal Data Privacy and Security Act bill by Senator Patrick Lahey (D. Va.), which is largely similar to bills he has introduced in the last three Congresses. It too would preempt state laws, but is more comprehensive and complex than the Caper/Blunt bill, and has strict penalties.
We will keep an eye on these bills and other data privacy and security legislation. After years of talk about a single U.S. data security and breach standard, 2014 may be the year for it. However, even if there is support in Congress to create federal standard that preempts state laws, only time will tell what that stands involves.