Another Breach Notification Bill IntroducedTougher State Requirements Wouldn't Be Usurped in New Bill
Privacy advocates in the Senate have unveiled a national data breach notification bill that would allow states to keep their own laws if they provide more stringent reporting and privacy protections than offered by the federal government.
The Consumer Privacy Protection Act, introduced April 30, is sponsored by Sen. Patrick Leahy of Vermont along with five other Democratic senators as cosponsors: Al Franken of Minnesota;, Ed Markey and Elizabeth Warren, both of Massachusetts; Richard Blumenthal of Connecticut; and Ron Wyden of Oregon.
Although backed by a number of privacy and civil liberties group, business organization would likely oppose the bill because it would not standardize the reporting of data breaches. A major objection to the current regime is that 51 states, territories and the District of Columbia have their own laws with varying requirements that businesses contend make it burdensome to comply with when a breach occurs.
"A federal standard cannot simply become a 48th standard that states can add their own requirements atop," Elizabeth Hyman, executive vice president for public advocacy at the technology trade group TechAmerica, told Congress earlier this year. "Overlaying more regulations on top of the existing patchwork of laws adds to the problem and does not help our companies protect consumers."
Argument Against Preemption Offered
Other bills introduced in the current Congress would usurp state laws with varying reporting and security requirements with a single federal law. "A national data breach standard may make sense on one hand: having multiple, inconsistent laws for when to notify consumers of a breach could be difficult for companies to implement," said Alex Bradshaw, a fellow at the think tank Center for Democracy and Technology. "However, consumer protections would be significantly set back if the federal standard preempts significantly stronger state laws, or stops states from responding to emerging threats by passing new notification requirements."
Indeed, privacy advocates and leaders in states with laws containing stringent cybersecurity requirements object to the other bills they see protecting the security and privacy of their citizens. "Federal legislation will only be helpful to consumers if it provides them with greater privacy and security protection than they have today," said Susan Grant, director of consumer protection and privacy at the Consumer Federal of America. "Most of the bills that we have seen in Congress would actually weaken existing consumer rights and the ability of state and federal agencies to enforce them."
Massachusetts Assistant Attorney General Sara Cable testified last month at a House hearing that about a dozen states, including Massachusetts, prescribe how data containing personally identifiable information should be secure. "Minimum data security standards are important and necessary, but the proposed standards (in other bills) leave consumers' data vulnerable," Cable said.
Summary of Bill
Among the Consumer Privacy Protection Act's key provisions:
- Requires companies that store sensitive personal or financial information on 10,000 customers or more to meet consumer privacy and data security standards to keep this information safe, and notify the customer within 30 days of a breach.
- Establishes a broad definition of information that must be protected, including Social Security numbers; financial account information; online usernames and passwords; unique biometric data, including fingerprints; information about a person's physical and mental health; information about a person's geolocation; and access to private digital photographs and videos.
- Compels companies to inform federal law enforcement of all large breaches, as well as breaches that involved federal government databases or law enforcement or national security personnel.
- Guarantees a federal baseline of strong consumer privacy protections for all Americans by preempting weaker state laws, while leaving stronger state laws in place.
"We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn't weaken state protections that consumers rely on to keep their information safe," Blumenthal said. "Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era."