Is a Uniform Federal Data Breach Law Really Necessary?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/is-a-uniform-federal-data-breach-law-29280/

In June 2015, the United States Office of Personnel Management announced a
massive data breach. Estimates are that the breach compromises the personal
information of up to 18 million current, former and potential federal
employees. This data breach joined the growing list of mega breaches that
has many calling for a single, federal, uniform data breach notification
law, to replace and preempt the current so-called “patchwork” of state laws
that exist in all but a handful of states.

On July 7, 2015, the Attorneys General of 47 states and US territories
joined together in a letter to congressional leaders opposing any federal
preemption of state data breach notification laws. Echoing a similar
sentiment expressed in a 2005 letter to Congress signed by 44 state
attorneys general, the 2015 letter makes the case that state Attorneys
General offices play the role of “chief consumer protection officials in
[their] respective states” and a federal, preemptive data breach
notification law would minimize that role in the field of data security.

This 2015 letter brings a very important point into focus, which is that
the debate over the “need” for a uniform federal data breach law has been
going on for more than a decade. Given this fact, one must wonder whether a
federal law is really needed. Would a federal law be any more effective
than the current state law “patchwork”? There are a number of reasons to
think the answer to that question is “no.”

For starters, forty-seven laws requiring that consumers be alerted when
their data is compromised already exist, and most have been on the books
for 10 years. As the AG letter points out, states have been able to amend
their laws quickly to address the “challenges presented by a data-driven
economy.” Given the often divisive nature of the federal legislative
process, it seems less likely that federal legislation could be as rapidly
changed to address current developments.

Second, since 2005, nearly 5,000 data breaches have compromised an
estimated 816 million consumer records. As of April 7, 2015, 2,583 data
breaches had been reported to the North Carolina Attorney General’s office
alone. It seems like it would be a tough task for any federal agency to
address a similar incidence of breaches on a national scale.

Third, large scale, nationwide breaches are a different animal than
smaller, regional data breaches, and much more rare. As the AG letter
points out, smaller breaches with “a large impact in a particular state or
region” could be deemed “too small to be a federal priority” and be
overlooked.

Finally, much of the congressional action in regard to data security
reveals a bent toward trying to address threats arising from malicious
insiders and third-party hacks. But experts agree that most data and
security breach incidents result from human negligence and system
malfunctions or errors.

With a number of bills under consideration in Congress, it remains to be
seen how the debate about federal preemption will be decided. However,
opposition from states has, for 10 years, carried the day. At this point, a
uniform federal data breach notification law looks no more likely than in
past years.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!