Federal Breach Law? No Time Soon

Despite the confusing patchwork of today's data breach disclosure laws, attorney Chris Wolf says don't hold your breath for a federal version.

By Joan Goodchild, Senior Editor

December 11, 2008 — CSO —

Since California's historic 2003 passage of a data breach law, most other states in the U.S. have followed suit. 44 states now have laws that lay out requirements for companies in the event that sensitive information is compromised. Despite the groundswell of interest in the issue on the state level, there is currently no similar federal law. Chris Wolf, a Washington, D.C.- based attorney with Proskauer Rose LLP and chair of its privacy and security practice group, spoke with CSO about how long it may be until we see one.

CSO: 44 states now have individual breach laws on the books, but we currently have no federal law. Will we see one soon?
Chris Wolf: I don't think you will see a federal law come out of the next session of Congress. I would be very surprised of that happened given the nation's current priorities and given the difficulties Congress has had considering bills for a federal breach law in the past. A lot of businesses want to have a very high threshold for notification that gives them a lot of discretion on when to notify. And many consumer groups think too much discretion will mean not enough notice is given to consumers. So you have that tension and this battle and, as a result, the issue is deadlocked.

Given the high-profile nature of a number of breaches, such as the TJX incident, aren't people demanding a federal law?
Consumers are not left unprotected with the current state of affairs, and it takes the pressure off of Congress to create a legislative remedy. But it is very difficult to comply with this patchwork quilt of laws.

Because of the individual laws in so many states, people are being notified. Many of the laws require companies to comply with the law for each state in which a client resides. So, if a company has data on people from several states, there is going to be nationwide notice.

There are certain federal breach requirements for financial institutions that are under federal supervision. For instance: All banks, broker dealers, and other investment companies. So of they are federally regulated there is a notice requirement.

You mention how difficult it is for companies to comply with all of the state laws. Why is that?
Because the triggers for notification vary from state to state. And now even the content of letters that go out vary from state to state. If a company finds they have data that has been compromised on someone from Massachusetts and also someone from Maryland, they have to send out separate letters within different content. There is also issue of notifying the appropriate regulators because each state has laws of notification obligation with respect to regulators. It's very complicated to navigate the maze.

• Print

• Security Predictions: What Happens Next?
• CPO and CISO: A Comprehensive Approach to Information
• CSO Disclosure Series | Data Breach Notification Laws, State By State
• The Complete Guide to Security Breach Disclosure