Data breach bill is really a fight about federal preemption
WASHINGTON — A legislative proposal to create a federal standard on how firms notify customers of a data breach is prompting new preemption concerns among consumer groups and state regulators.
Lawmakers have pushed for national data breach standards, including how hacked companies communicate with affected customers, in the wake of incidents such as last year's Equifax breach. A bill bill by Rep. Blaine Luetkemeyer, R-Mo., codifying federal breach notification standards for financial institutions passed the House Financial Services Committee last week.
Proponents say the measures would address gaps in notification practices revealed in recent breaches, and industry groups support having consistent standards for all 50 states. But some consumer advocates and officials at the state level worry national standards could weaken strong data breach rules that are already in place in a select number of states.
"It would provide consumers in certain states with less protection than they have now in terms of the types of information" released to consumers "the timing of a breach notification," Margaret Liu, a senior vice president at the Conference of State Bank Supervisors, said of the Luetkemeyer bill. She added that the bill "limits state regulators' ability to examine [firms] for compliance."
Consumer advocates point to laws in states such as California, Vermont, New York, Massachusetts and Illinois as being effective in requiring companies to be upfront about a breach.
“The only thing it really does is weaken the standards,” said Linda Jun, senior policy counsel at Americans for Financial Reform, of the House bill. “What this bill does is by preempting state data breach laws, it just makes all of that weaker.”
A provision in the Gramm-Leach-Bliley Act created a floor for federal data breach standards, but allows states to develop stronger standards. But the Luetkemeyer bill would amend that earlier law to give a federal breach-notification standard preemptive power over a state law.
Ed Mierzwinski, senior director of the Federal Consumer Program at U.S. PIRG, said in an interview that states have been leading the way in implementing consumer protections.
“States have always innovated, we don’t need a federal data breach law,” said Ed Mierzwinski, senior director of the federal consumer program at U.S. PIRG. “Congress only leads when there’s a catastrophe or when the states show it the way.”
But some lawmakers say having a different breach notification standard in each state poses its own problems.
“A number of businesses and trade associations have called for Congress and the federal government to establish one unified data breach standard, so businesses could operate across state lines, they wouldn’t be forced to comply with a patchwork of different regulations,” said Sen. Mike Rounds, R-S.D., at a Senate Banking Committee hearing Tuesday.
William Boger, senior vice president and chief legislative counsel at the American Bankers Association, said that "in practicality the states are all over the place on this kind of issue."
"Why should a consumer in state X have less protection than someone in state Y?” Boger said.
At the House Financial Services Committee's markup of the bill last week, Rep. Maxine Waters, D-Calif., the panel's ranking member, unsuccessfully offered an amendment to strike the provision that would preempt state laws.
An "individual's data is too important whenever you have a situation where you have a multistate business that is going to notify one customer in one way and not notify or notify a different customer in a different way," Luetkemeyer said in opposition to the amendment. "This is unacceptable. Across the board, we need to have a notification standard that protects our consumers, protects our constituents, and protects the customers of these businesses."
Yet Liu said a federal standard is not necessarily a better standard.
“Gramm-Leach-Bliley was a floor not a ceiling. This sets the ceiling. And this ceiling is in some cases below the floor," she said. "This bill does not create a floor that allows for higher, greater protection. This bill just creates one standard.”
Still, some analysts say the inconsistency posed by different state laws may create its own flaw in how companies notify their consumer of a breach, and a federal law may be an easier solution than states harmonizing their standards.
“It’s difficult for me to see all 50 states getting on the same page here,” said Boltansky, director of policy research at Compass Point Research & Trading. “I think it makes more sense to implement a federal standard.” But he noted that the “scale and scope” of a federal standard creates a question.
Sen. Mark Warner, D-Va., has been pushing for tougher federal standards on firms that hold consumers’ personal data and said at the Senate hearing that he would like to see leadership on data breach legislation at the national level. However, he has not endorsed the Luetkemeyer bill.
“There’s a group of us bipartisan that have been working for, now three and a half, four years to try to at least standardize data breach legislation,” Warner said.