In comments at the FTC on Monday, President Obama called for a range of privacy reforms, including protections for student data and renewed baseline consumer privacy legislation. In response to the rash of data breaches that have affected companies ranging from Target to Sony, one proposal that the president emphasized would create a federal standard for data breach notification. As we’ve observed for years, federal data breach legislation has been frequently suggested following high profile data breaches, but has yet to make significant traction in Congress. In fact, the President called for data security legislation as recently as October 2014, to no avail. This time, the White House has released its own legislative language (based on its 2011 cybersecurity proposal) — the Personal Data Notification & Protection Act.
CDT has been largely supportive of the current status of data breach notification law, in which nearly every state (47, at last count) has passed a law requiring companies to notify consumers and/or regulatory agencies when breaches occur. Because many businesses operate nationwide, they tend to follow the strictest state laws for simplicity’s sake, meaning that consumers nationwide tend to benefit from the most robust state laws. A federal law, as we have discussed previously, could supersede all the state laws (because federal law can override state law), thus weakening protections for most Americans. For these reasons, a federal law could be counterproductive by eliminating strong state protections that effectively apply nationwide. In order to effectively raise protections, a federal bill would need to introduce a new feature not present in state law (such as requiring access to data brokers, which would allow consumers to more effectively monitor potential risks and the effects of a breach).
Our biggest concern with the President’s bill involves the preemption clause; it is quite broad, eliminating all state laws that are related to data breach — even notification laws that cover data sets not covered by the legislation. For example, the legislation explicitly does not apply to entities covered by the HITECH Act, which applies to health data. The HITECH Act data breach provisions require notice to be given within sixty days, but its regulations only preempt state laws that are in conflict with the HITECH statutory provisions and regulations, and explicitly does not preempt state laws that create more stringent requirements than HITECH. Therefore, state laws that have stringent requirements regarding health data breaches (such as California, which requires notification within five days of a breach involving health data) are not preempted by HITECH — but would be preempted by this legislation, even though this legislation explicitly doesn’t cover health data. At the very least, federal data breach legislation should only preempt state laws that address the same areas that as a federal law — any exemptions to federal regulation should also apply to preemption. Alternatively, the preemption clause could be further narrowed to resemble the preemption standard under HITECH, which creates a floor for data protection, rather than a ceiling. Moreover, the President’s legislation does not include a private of action, although 17 existing states do include such a right. The federal bill would preempt that enforcement mechanism in those states, removing an important incentive to companies to ensure that personal data sets are protected.
The preemption issues are an important component of any federal data breach legislation, and broad preemption provisions that apply beyond the scope of such legislation would be counterproductive. While companies would certainly benefit from one standard that superseded the 47 laws on the books, we need to be sure that consumers also receive protections that are as strong as what they currently enjoy. Moreover, a data breach notification law is inherently limited in what it requires companies to do, but could preempt more robust state laws that prescribe specific security practices or standards. This legislation would not mandate that companies create data security programs and audit their internal practices in order to protect consumer data. As a result, while some companies may be sufficiently incentivized by a federal data breach notification law to create robust programs in order to avoid the bad publicity of having to send notices to customers nationwide, others may take a calculated risk and hope for the best. Data breach notification only applies after a breach happens — and in some instances after the worst damage has been done.
Other provisions within the White House bill are also concerning. In his remarks, the president said that under the proposed legislation, companies would have to notify consumers of a breach within thirty days. This is probably less stringent than most of the state standards; for example, California (often considered one of the most pro-consumer states) requires companies to make the disclosure “in the most expedient time possible and without unreasonable delay,” as do many other states. The thirty-day timeframe will probably not rise to the level of being the “most expedient time possible,” and therefore may weaken existing protections for consumers.
The White House bill does include many of the elements that CDT has called for in a breach notification bill — including a trigger requirement which presumes that notification is necessary unless there is no reasonable risk of harm or fraud, and a requirement to notify the FTC even if there is no such risk. We are pleased to see these elements included in the bill, as they are a significant improvement upon several bills previously introduced in Congress.
But given the typical pattern of our legislative process — in which strong proposals get watered down by compromises, lobbying, and inertia — it is hard not to be concerned that even robust language proposed by the White House would inevitably become anemic, preempting stronger state language and effectively reducing consumer protections. We support certain proposals in federal data breach legislation (such as coordinated enforcement between state attorneys general and the Federal Trade Commission, financial penalties, private rights of action and increased consumer access) that would improve the landscape. The inclusion of such provisions would make us more supportive of this effort, but they’re nowhere to be found in this bill. While the White House deserves credit for addressing a high profile issue, there’s a lot more that this bill could do to raise the level of current consumer protection.