In June 2015, the United States Office of Personnel Management announced a massive data breach. Estimates are that the breach compromises the personal information of up to 18 million current, former and potential federal employees. This data breach joined the growing list of mega breaches that has many calling for a single, federal, uniform data breach notification law, to replace and preempt the current so-called “patchwork” of state laws that exist in all but a handful of states.
On July 7, 2015, the Attorneys General of 47 states and US territories joined together in a letter to congressional leaders opposing any federal preemption of state data breach notification laws. Echoing a similar sentiment expressed in a 2005 letter to Congress signed by 44 state attorneys general, the 2015 letter makes the case that state Attorneys General offices play the role of “chief consumer protection officials in [their] respective states” and a federal, preemptive data breach notification law would minimize that role in the field of data security.
This 2015 letter brings a very important point into focus, which is that the debate over the “need” for a uniform federal data breach law has been going on for more than a decade. Given this fact, one must wonder whether a federal law is really needed. Would a federal law be any more effective than the current state law “patchwork”? There are a number of reasons to think the answer to that question is “no.”
For starters, forty-seven laws requiring that consumers be alerted when their data is compromised already exist, and most have been on the books for 10 years. As the AG letter points out, states have been able to amend their laws quickly to address the “challenges presented by a data-driven economy.” Given the often divisive nature of the federal legislative process, it seems less likely that federal legislation could be as rapidly changed to address current developments.
Second, since 2005, nearly 5,000 data breaches have compromised an estimated 816 million consumer records. As of April 7, 2015, 2,583 data breaches had been reported to the North Carolina Attorney General’s office alone. It seems like it would be a tough task for any federal agency to address a similar incidence of breaches on a national scale.
Third, large scale, nationwide breaches are a different animal than smaller, regional data breaches, and much more rare. As the AG letter points out, smaller breaches with “a large impact in a particular state or region” could be deemed “too small to be a federal priority” and be overlooked.
Finally, much of the congressional action in regard to data security reveals a bent toward trying to address threats arising from malicious insiders and third-party hacks. But experts agree that most data and security breach incidents result from human negligence and system malfunctions or errors.
With a number of bills under consideration in Congress, it remains to be seen how the debate about federal preemption will be decided. However, opposition from states has, for 10 years, carried the day. At this point, a uniform federal data breach notification law looks no more likely than in past years.