Changes to Data Breach Notifications in the Air

Reading time: 4 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Ever since the first data breach notification law went into effect July 1, 2003 in California (SB 1386), there has been controversy surrounding what types of data being exposed should trigger data breach notifications, who should be notified, and how quickly they should be notified. In fact, it’s become somewhat of a mess.

Since that summer in the United States about 15 years ago, just about every state created its own version of the data breach notification law, which (some contend) has created a hodgepodge of state laws all organizations that hold data must comply. Increasingly they’re calling for a uniform standard.

Last month (February 13), the National Retail Federation (check) asked the Subcommittee on Financial Institutions and Consumer Credit during a hearing on the current data breach notification regulatory framework, the NRF had a number of suggestions, including promoting reasonable data security standards, “appropriate FTC security enforcement, as well as broadening breach notifications — however the top of the list was establishing a federal databreach notification law:

Establish Uniform Nationwide Law: First, with the fifty-two inconsistent breach laws currently in effect in 48 states and 4 federal jurisdictions, there is no sound reason to enact federal legislation in this area unless it preempts the existing laws to establish a uniform, nationwide standard so that every business and consumer knows the singular rules of the road. One federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs. Simply enacting a different, fifty-third law on this subject would not advance data security or consumer notification; it would only create more confusion.

The calls for a uniform data breach disclosure law have been going on for years, and have increased as the number of state laws have proliferated and their complexity increased. “While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice,” wrote the law firm Foley and Lardner in this blog post on state data breach notification laws. “What’s more, as data breaches continue to rise, states are responding with increasingly frequent and divergent changes to their statutes, creating challenges for compliance. Organizations must make it a priority to monitor these changes to prepare for and respond to data breaches,” the firm wrote.

To get a sense of just how complex the matrix of state data breach disclosure laws are, have a look at the law firm’s chart (.pdf) of the data breach disclosure laws throughout all 50 states.

The NRF isn’t some fringe group. The NRF is the largest retail trade association, and represents all types of retailers from the United States and more than 45 countries. 

The NRF is one among an increasing number of organizations who are calling for a national data breach standard. In early January 2018, the Financial Services Roundtable sent a letter to the House Energy and Commerce Committee urging Congress to enact national data breach legislation to better protect consumers. The Financial Services Roundtable called upon Congress to pass federal data protection and consumer breach notification legislation that would supersede the current patchwork of state laws.