Feds Attempt To Preempt Conflicting State Laws On Data Breaches

Eric Junginger
April 8, 2015

Federal and state privacy and data security laws affect nearly every industry ranging from healthcare providers to financial institutions to start-ups. One federal bill that could bring clarity to varied state laws and regulations is the Data Security and Breach Notification Act of 2015 originally co-sponsored by Representatives Marsha Blackburn (R-TN) and Peter Welch (D-VT). If passed, it will change how companies, non-profit organizations, and common carriers handle data breach notifications from trying to comply with an uneven quilt of state laws to a single, enforceable, uniform standard.

There are two important provisions in this Act. First, this federal law would preempt all existing state data breach notification laws, providing a single uniform rule for what to do when a company discovers a data breach. Second, the rules for data breach notification are well defined for all companies. For example, the bill states what information a company will need to provide in its data breach notice, how notification should happen (even when some of the contact information for data breach victims is outdated), and when it should take place (not later than 30 days after the entity has investigated and secured its system).

The Act’s structure requires companies to maintain reasonable security measures, and to notify affected people by mail or by electronic means in certain situations in the event of a data breach that causes the loss of unencrypted personal information. For large-scale breaches, companies would also have to inform the Federal Trade Commission (“FTC”), a credit reporting agency, and federal law enforcement. The Act would be enforced through the combined efforts of the FTC and the states’ attorneys general. Damages for non-compliance are currently capped at $11,000 per day, up to a maximum of $2.5 million per breach incident.

Hanson Bridgett’s Privacy, Data Security and Information Governance attorneys monitor pending cybersecurity-related legislation in Congress and in California’s Legislature, and will provide an update on this Act if it is enacted.

Everett Monroe, a law clerk with Hanson Bridgett, assisted in authoring this post.