On October 5, House Financial Services Committee Chairman Jeb Hensarling (R-Texas) called for national standards for data breach notification and data security. While voicing concerns about a “Washington-forced technology solution,” Hensarling said, “We do need a consistent national standard for both data security and breach notification in order to better protect our consumers, hold companies accountable and assure that this affair does not repeat itself.”
Hensarling’s call for national standards for data breach notification and data security is not new. For more than a decade, Congress has debated various legislative proposals that would create national standards and, possibly, preempt what many see as a labyrinth of confusing and conflicting state data breach notice and data security laws.
The U.S. Chamber of Commerce has voiced support for national standards that would preempt state laws. In its official statement of its policy priorities for 2017, the Chamber noted its support for “a truly uniform federal standard for breach notification” and legislation that includes “carefully drafted provisions, including preemption.”
That endorsement echoes the Chamber’s longstanding position. In a 2015 letter to Congress, for instance, the Chamber said a “weak or poorly drafted preemption provision would accomplish little other than adding a new federal law to the state statutes and common laws already in effect, resulting in a confusing patchwork of requirements and enforcement regimes that would undermine the purpose and effectiveness” of any legislation.
Others, however, oppose efforts to preempt state laws. In July 2015, forty-seven state and territorial attorneys general signed a letter to congressional leadership opposing any federal standards that would preempt state laws. The AGs argued that “any additional protections afforded consumers by federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.” That role, according to the AGs, is important because state AGs “are on the front lines responding to breaches” and because state legislatures have passed “significant, innovative laws related to data security, identity theft, and privacy.”