Data thefts at U.S. retailers have rekindled enthusiasm in Congress for a single federal law on how customers should be notified about such breaches, but those efforts face the same roadblock as in the past: dozens of overlapping state laws already in place.
Congressional hearings and calls for new powers by consumer protection agencies followed quickly after breaches at retailers Target Corp., Neiman Marcus and Michaels Companies were revealed.
Several Senate bills that languished in past years have been revived, spearheaded by powerful Democrats on commerce, judiciary, intelligence and homeland security committees.
But the new bills are mostly reiterations of old ones that failed to advance, in some cases repeatedly. And the same hurdles to reaching agreement in the past remain powerful obstacles, notably the question of whether or how the federal law would trump, or pre-empt, state regulations.
“Pre-emption is going to be a major part of discussions,” Representative Lee Terry, a Nebraska Republican working on a data security bill in the House of Representatives, said last week after a hearing on the data breaches.
The issue tracks a peculiar path in Congress. Privacy concerns cut across party and ideological lines, sometimes uniting staunch conservatives with liberals. And efforts involving multiple committees often face slightly different agendas, with gridlock often the result.
“Tech is very complex policy,” said one Senate aide. “It’s hard to move legislation sometimes.”
TUG OF WAR
Although federal laws already regulate how specific industries, such as banks and hospitals, handle compromised data security, certain other kinds of companies, including retailers, face no such uniform standard.
Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach.
With that, negotiations over fitting state standards under an umbrella federal law face a tug of war between companies, consumer advocates and state authorities.
Large companies working across state lines argue that state laws present a patchwork of regulations and compliance poses a challenge. Companies often issue one nationwide notice to consumers with state-specific supplements at the end.
“Certainly, one standard is easier to follow than 47,” John Mulligan, Target’s chief financial officer, told lawmakers at a hearing last week. The No. 3 U.S. retailer has stores in every U.S. state except Vermont.
The National Retail Federation in a January letter to Congress also restated its decade-old position in favor of a nationwide standard that would pre-empt state rules.
“A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live,” the lobbying group wrote to lawmakers.
STATES’ ENFORCEMENT POWER
Some state attorney generals worry above all that federal standards would dilute their power to pursue violators.
Illinois Attorney General Lisa Madigan said last week that states must keep their ability to enforce. Only under those conditions “it’s potentially reasonable to say ‘OK, we’re going to pre-empt you,’” Madigan said.
“As long as we still retain the ability to respond to our consumers, and this is looked at in some ways potentially either as a floor and not a ceiling, we understand your role.”
But charting such a course would be less palatable to powerful industries and some lawmakers.
“There are 47 state standards, there’s no reason to add a 48th,” said Terry, the most prominent Republican leading a legislative effort at this point.
Consumer advocates say that the companies’ call for a single law masks the goal of having a weaker federal standard that would trump stricter laws on the books in states like California and Massachusetts.
“None of the federal proposals are as strong as the strongest state laws and that’s wrong,” said Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group. “I don’t think we need (a federal law) that’s weaker than California’s.”
California was the first state to adopt a data breach law in 2003. After a decade of fine-tuning, it requires a detailed disclosure to consumers “in the most expedient time possible and without unreasonable delay” when personal information, including emails with passwords, is “reasonably believed” to have been stolen.
Though many state requirements are broadly similar, some states, such as Montana and Ohio, require notification only if a breach poses or is believed to pose harm or material risk such as identity theft.
Many states also use more limited definitions of what personal information is included. A common definition includes name combined with the Social Security number, driver’s license number or payment card number together with information needed to access financial records.
Alabama, Kentucky, New Mexico and South Dakota do not have their own data breach notification laws.
(Reporting by Alina Selyukh, editing by Ros Krasny and Cynthia Osterman)