This article is brought to you by the fine folks at The Hill
State AGs clash with Congress over data breach laws
Attorneys general from all 47 states with data breach notification laws are urging Congress not to preempt local rules with a federal standard.
“Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft,” they wrote in a letter sent to congressional leaders on Tuesday.
Lawmakers have been weighing a number of measures that would create nationwide guidelines for notifying customers in the wake of a hack that exposes sensitive information. Industry groups have argued that complying with the patchwork set of rules in each state is burdensome and costly.
The rapidly rising number of breaches at retailers, banks and government agencies has only raised pressure on Congress to pass legislation.
While the concept of a federal standard has bipartisan appeal, the two parties have split over whether to totally preempt state laws.
Democrats fear a nationwide rubric that preempts state law could weaken standards in states that have moved aggressively on data breach laws. Republicans fear that an overly strict federal standard could empower overzealous government regulators.
Lawmakers also disagree on what type of breaches should trigger a notification.
The differing views have spawned a cavalcade of bills on Capitol Hill, many of which would preempt state laws.
“Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” said Virginia Attorney General William Sorrell, who oversees a law that requires companies to notify officials within 14 days of discovering a breach, in a statement. “A federal law is desirable, but only if it maintains the strong consumer protection provisions in place in many states.”
Many state attorneys general, including Sorrell, favor a Senate data breach offering from Sen. Patrick Leahy (D-Vt.) and co-sponsored by five other Democrats.
Notably the bill does not preempt state laws that are stricter than the standard delineated in Leahy’s bill.
It also provides a broad definition of what type of information would constitute a notification-worthy breach. It includes photos and videos in addition to more traditional sensitive data such as Social Security numbers or financial account information.
But most important for states is retaining their ability to set their own standards.
“States should also be assured continued flexibility to adapt their state laws to respond to changes in technology and data collection,” the letter said. “As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy.”