[BreachExchange] Is It Too Late for a Uniform State Approach to Data Breach Notification?

[Destry Winant]

http://www.jdsupra.com/legalnews/is-it-too-late-for-a-uniform-state-16230/

Privacy professionals have long lamented the myriad of approaches each
state takes when it comes to data breach notification requirements.
According to the National Conference of State Legislatures, 48 states,
the District of Columbia, Guam, Puerto Rico and the Virgin Islands
have enacted legislation requiring covered companies to make certain
notifications to affected consumers and specified regulators when a
security breach of personally identifiable information occurs.

When so many states have “left the barn,” can they be corralled into
one consistent regulatory scheme? That is the question the Uniform Law
Commission plans to delve into over the coming year.  At its recent
annual meeting in San Diego, California, the executive committee of
the Commission approved a study committee to assess whether it is
desirable for the Commission to draft a uniform act governing data
breach notification requirements.

What is the ULC?

Created in 1892, the Uniform Law Commission develops and drafts
uniform legislation for consideration by state legislatures. Past work
of the Commission has produced legislation such as the Uniform
Commercial Code and the Uniform Electronic Transactions Act.  The
Commission is comprised of several hundred judges, law professors,
legislative staff, legislators and attorneys in private practice
(“Commissioners”).  Each state, the District of Columbia, Puerto Rico
and the U.S. Virgin Islands appoint Commissioners.  I serve as a
Commissioner for Virginia and attended the annual meeting in San
Diego.

Charge of the Study Committee

The study committee will evaluate “the need for and feasibility of
state legislation on data breach notification including consideration
of what sorts of personal information should be protected; to whom,
when and how notice should be provided and the contents of the
notice.” At this time the committee is not authorized “to consider
remedies for injury caused by a data breach.”

Why Now?

It was acknowledged by the Commission’s Scope and Program Committee
that 48 states have enacted some type of breach notification statute.
Often the Commission will not propose a uniform law if a significant
number of states have already enacted laws on the subject matter.
Given the various approaches by the States, the lack of uniformity and
the emerging importance of privacy issues, the committee determined
that there was value in assessing whether a uniform approach might be
desirable and attainable notwithstanding that virtually every state
has acted in this area.

What Happens Next?

Within the next two months, the President of the Commission will
appoint members of the study committee. The committee will begin its
work and report its findings to the Scope and Program Committee of the
Commission.  If the study committee decides that uniformity in state
law is desirable in this area it may recommend that the Commission’s
Executive Committee authorize the study committee to being the process
of drafting a proposed uniform act that would eventually be provided
to the States for consideration and adoption.

It is anticipated that the study committee will seek the input of the
National Association of Attorneys General (“NAAG”) on this project.
One of the rationales put forth for the Commission to undertake this
project was the potential to work jointly with NAAG.  Support of state
attorneys general will be important to the overall success of this
project.  The study committee will solicit input from a broad array of
stakeholders over the next year.

Implications for the Privacy Professional?

The time period for study and then possible drafting of a uniform law
may take anywhere from one to three years due to the process followed
by the Commission. The study period usually takes a year prior to
determining whether to proceed to a drafting committee.  A proposed
uniform act is usually debated, revised and further considered for a
minimum of two years before it is finalized and sent to the States for
consideration.  At that point, the Commissioners of each state are
asked to seek introduction of the legislation in their state and to
advocate for its passage.

While it is too early to gauge the success of a uniform law on this
subject at state legislatures, it is fair to say that the prospects
for success will be significantly impacted by whether state attorneys
general are onboard with any proposed changes. Consumer protection is
a primary focus of every state attorney general and any change to
their authority without their support will impact the likelihood of
widespread adoption of a uniform approach to this topic.

Short term, this development does not impact a company’s response to a
data breach. Long term, if the effort is successful it has the
possibility to lower compliance costs when a breach occurs and
notification is required.  If there is any possibility of divining a
path to a uniform approach, the Commission appears to be the body that
has the track record to lead the States to that end.

While it is too early to gauge the success of a uniform law on this
subject at state legislatures, it is fair to say that the prospects
for success will be significantly impacted by whether state attorneys
general are onboard with any proposed changes.  Consumer protection is
a primary focus of every state attorney general and any change to
their authority without their support will impact the likelihood of
widespread adoption of a uniform approach to this topic.