Generally, state security breach notification laws require that organizations that collect, own or license personal information about a state's residents notify these individuals and, in some cases, other entities, such as consumer reporting and law enforcement agencies when unencrypted personal information has been lost or compromised.
Since my column was published, the Privacy Rights Clearinghouse (www.privacyrights.org) reported no fewer than 65 incidents of lost or compromised personal information in the U.S. affecting more than 3.5 million people. In December 2006, the Privacy Rights Clearinghouse also reported that security breaches had resulted in 100 million records being lost or compromised.
Federal Efforts to Pass Legislation
Over the past several years, Congress has engaged in a bipartisan effort to address security breaches. By the end of 2006, several pending bills would have created more stringent notification requirements, such as eliminating the encryption safe harbor that provides an exception from compliance with the state law if an organization encrypted the lost or compromised data, and expanding the Federal Trade Commission to include an Office of Identity Theft.
The new 110th Congress appears to be picking up where the last session of Congress left off with this legislation. Sen. Dianne Feinstein of California has already introduced the Notification of Risk to Personal Data Act, a bill requiring federal agencies and persons that are engaged in interstate commerce in possession of personally identifiable information to disclose any breach of such data.
Like several state security breach notification laws, the bill would require that business entities (and the federal government) notify individuals without unreasonable delay when there has been a security breach involving personal data. The bill also sets forth more stringent notification requirements, such as eliminating the encryption safe harbor and creating additional law enforcement notification requirements.
To Pre-empt or Not to Pre-empt?
If you're an IT executive, you may soon need to understand and comply with a federal security breach notification law. One of the most critical issues for your company -- and paradoxically one of the least-noted provisions -- is the impact of federal security breach notification requirements on state laws. If the Notification of Risk to Personal Data Act becomes law, it would effectively pre-empt state laws. Such a uniform approach would make compliance with the notification requirements easier and less costly.
But it doesn't end there. Congress has frequently amended its approach to pre-emption at the last minute, which could result in states being allowed to enforce laws that are more stringent than the federal law. If Congress pre-empts the act, your company would be required to comply with the federal law and each of the more stringent state laws, adding another layer of complexity to an already confusing, time-consuming and costly process.
Matt Karlyn, J.D., M.B.A., is a member of Foley & Lardner LLP's Information Technology & Outsourcing Practice Group in Boston. Write to him at firstname.lastname@example.org.
This was first published in February 2007