[BreachExchange] State AGs Argue That Federal Data Security Legislation Should Set Floor, Not Ceiling

[Audrey McNeil]

https://www.natlawreview.com/article/state-ags-argue-federal-data-security-
legislation-should-set-floor-not-ceiling

The flood of massive data breaches – including, most recently, the Equifax
breach that compromised the personal data of around 145 million U.S.
consumers – has increased the pressure on Congress to pass sweeping federal
data security and breach reporting legislation. While it’s difficult to
project whether such legislation will be enacted in the near future, and
what it will look like in the event that it is, an important and
contentious question has already arisen: If federal legislation is
ultimately enacted, should preempt the patchwork of state and local laws
that presently govern this area?

Setting aside the handful of industries – including healthcare and finance
– that are already subject to federal data security laws, the data security
and breach reporting obligations of most U.S. organizations are established
by a medley of state and local laws. This legal patchwork is confusing and
arduous for organizations and data subjects to navigate, particularly since
the types of data elements protected, and the processes for determining
when a breach must be reported, vary from state to state. At least in
theory, therefore, federal preemption in this area would be a step in the
right direction.

Not so, say the New York and Massachusetts attorney general’s offices, both
of which have been active in the data security space. On October 25, 2017,
these offices urged U.S. House members to use federal law to set a floor
for data security and reporting standards; not a ceiling. Setting a federal
ceiling, argued Kathleen McGee, Chief of the Bureau of Internet and
Technology at the New York Attorney General’s Office, would stifle
innovation in this area: “States have proven the ability to act quickly” to
address technological changes that impact data security, Ms. McGee said.
Congress, she added, “should not limit states’ ability to innovate in this
area.”

Touting the effectiveness of state-level legislative and enforcement
efforts, assistant Massachusetts Attorney General Sara Cable noted that her
office has received over 19,000 notices since its data breach notification
law went into effect in 2007, including 4,000 in 2016 alone. These notices,
she said, have revealed that, while “there are entities that are doing it
right,” she sees “far too often that entities are not treating consumer
information like the valuable asset it is.” “I would submit,” she
continued, “that any [federal] law that is proposed that is weaker than the
law that we currently have today [in Massachusetts] is worse than doing
nothing.”

We will keep you posted as federal lawmakers continue to grapple with the
escalating threats to personal data. In the meantime, we strongly encourage
organizations to take appropriate steps to ensure that they are compliant
with their current state law data security obligations. A growing number of
states now require subject organizations to develop policies and procedures
to safeguard the personal information that they hold, and the definitions
of “personal information” under state law continue to expand to cover
additional data elements like health information, email addresses and
usernames, and biometric data. And state agency investigations and
enforcement actions are not the only area of concern for organizations that
fail to comply with their data security and reporting obligations. Some
state laws provide a private right of action and, in an ominous
development, 26 employment class actions lawsuits in the past three months
alone have alleged violations of the Illinois Biometric Information Privacy
Act.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171031/e5f797d7/attachment.html>