Is Now the Time for Federal Data Breach Legislation?

Amid turmoil in Washington, D.C.,with the next election cycle starting in six to ten months, and with increased rhetoric about national emergencies and homeland security, a growing predicament is going unnoticed. As of July 1, 2018, all 50 states have implemented a data breach notification law. While this may not seem like a calamity, it creates a situation as important as any other national issue. Without a federal data breach law, serious constitutional and legal questions exist that can ill afford to wait for a quieter time.

The current data breach notification laws, however, allow one state to drive the minimum acceptable standard for notification. Few companies today conduct solely intrastate business. Therefore, the laws of multiple states apply to most companies. The nature of business and electronic commerce is that it is interstate. As such, a proper standard needs to be established.

With each state setting distinct guidelines, it is now incumbent on organizations to know the applicable laws of every state in which their customers live. For example, Florida requires notification within 30 days, while other states require notice with “a reasonable amount of time.” This ambiguity and disparity means that organizations, whose budgets are already tight, end up having to complete post-breach activities according to the state with the most restrictive guideline.Otherwise, organizations that face data breaches must follow fifty different notification deadlines. Additionally, 50 different laws and regulators means potentially having to answer 50 different sets of questions about the breach response.

Divergent data protection laws create a constitutional crisis that the U.S. legislature must remedy. ArticleIV, Section 1 of the United States Constitution states that, “Full Faith andCredit shall be given in each State to the public Acts, Records, and judicial proceedings of every other State.” This means that Texas must recognize all law passed inCalifornia as valid. It is this prescription that helped to abolish or enforce laws related to marriage equality, child support judgements, and driver’s license authenticity.

The Fourteenth Amendment to the U.S. Constitution states, “No State shall…deny to any person within its jurisdiction the equal protection of the laws.” One state affording more privacy protection to its citizens, raises an argument about the equal protection of a citizen in another state. Additionally, a state action that allows civil lawsuits against a company for data breaches in California, could lead to one group of citizens receiving a benefit that is not available to citizens of other states affected by a breach of the same company.

This federal versus state issue is not new, in fact it is as old as the country itself. We have seen this issue arise in relation to marijuana and immigration related laws (for example,Arizona 2010 law SB70). To arrive at a remedy, one must analyze who has the authority to pass a standardized data breach notification law. It must be decided whether these laws can only be passed at the state level or if the FederalGovernment is the prevailing jurisdictional body of law making.

Article I, Section 9 of the U.S.Constitution gives Congress the power to, “regulate Commerce with foreignNations, and among the several States, and with the Indian Tribes.” Further,Article VI, Section 2 states that, “This Constitution, and the Laws of theUnited States which shall be made in Pursuance thereof…shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.” These sections mean that Congress can regulate commerce that occurs interstate, and that any law passed in this regard would supersede a state law. Few would argue that most of modern day business transactions cross state lines. Companies likeMarriott, Equifax, TJ Maxx, Target, and Home Depot, who have all suffered breaches before, maintain headquarters in one state, but conduct business in most or all the 50 states.As such, Congress is uniquely suited to address the ambiguity and diverse nature of data breach notification requirements and deadlines.

On January 16, 2019, Florida Senator Marco Rubio introduced the “American Data Dissemination (ADD) Act”.This law would be the first major step towards a federal data privacy law since the “Privacy Act of 1974”. As a first step, the law would:

1. Not later than 180 days after enactment of the ADD Act, the Federal TradeCommission (FTC) must send detailed recommendations for privacy requirements that Congress can impose on covered providers. These requirements would be like the requirements applicable to agencies under the Privacy Act of 1974.
2. Not earlier than one year after the date on which the Commission has sent detailed recommendations (18 months after enactment), the FTC will publish and send to the appropriate committees of Congress proposed regulations to impose privacy requirements on covered providers that are substantially similar to the requirements applicable to agencies under the Privacy Act of 1974.
3. To ensure Congress acts in a timely manner, if the Congress fails to enact a law based on the recommendations provided by the date that is two years after enactment of this bill, the FTC would promulgate a final rule, not later than27 months after the date of enactment to impose privacy requirements based on the narrow, congressionally mandated course of action created through this bill.

Senator Rubio astutely concludes in an Op-Ed article released on the website for political newspaper The Hill that, “a state-by-state patchwork of laws is simply not an effective means of dealing with an issue of this magnitude. Internet data is unquestionably interstate commerce, and it is the responsibility of Congress to take appropriate action.” Other Senators have also introduced privacy and data breach legislation, and the merits of those laws should be debated as well. With the coming implementation of the CaliforniaConsumer Privacy Act (CCPA) on January 1, 2020, and the pending election cycle, there is now a growing consensus that current data privacy laws are inadequate and that the state by state approach is ineffective. Now is the time for consumers and industry to write and call their elected officials to express support for national data privacy and data breach notification legislation.