Our guest blogger this week is Gant Redmon, Co3 Systems.
Working for a company that navigates 46 different state breach notice laws and a plethora of sector based federal breach notice laws, I’m often asked what I think the likelihood is that the Federal Government will pass a comprehensive data breach notification law that supersedes all the state laws. While I don’t rule out a federal law passing at some point, I see it setting a floor of breach response responsibility rather than superseding everything already in place.
Put yourself in the shoes of a legislator trying to harmonize all the different state laws. That legislator is going to have three big political challenges.
The first challenge is choosing a single standard in the face of wildly different state standards. How will affected states feel about the Federal government imposing a different standard than the one they’ve settled on? Changing the rules in dozens of states will cause upheaval with political fallout.
The second challenge will be dealing with state attorneys general and treasurers. State AG’s are becoming more and more active in tracking breaches and cracking down on companies that don’t provide proper notice or have adequate security procedures. Part of that crackdown includes fines collected that go to the state treasury. A federal law will strip those AGs of the rule of privacy protectors and redirect funds to the federal government and away from the states.
The third challenge is that some states, like California and Virginia, go above even Federal notice requirements. What legislator wants to be known as the one who diluted people’s privacy rights by pre-empting strong protections and replacing them with weaker ones?
When trying to solve a problem, the first thing I ask is if I’m dealing with a problem worth solving. Privacy professionals and law firms have become well versed in the different state laws. Software solutions also exist that track all the different laws and provide incident response plans that are easy to follow. If the problem here is the complexity involved in dealing with disparate state breach notice laws, then we don’t have a problem worth solving.