Six states have enacted tough data privacy measures in recent weeks and legal experts say that with others likely to follow, it may be time for Congress to create a national standard.
Five states - Georgia, Arkansas, Montana, Washington, and North Dakota - have adopted laws that require companies to notify customers whenever sensitive information has been lost or stolen, and under Indiana's new law state agencies must notify residents of a security breach, said Pam Greenberg, a program principal at the National Conference of State Legislatures. They are the first states to enact such laws since California became the first in the nation to do so two years ago.
But the laws, passed in response to some high-profile security lapses at major corporations, affect banks in different ways. In Montana and North Dakota, for example, they have a little more leeway than in California in deciding when to notify customers. And observers say that it is unclear if banks are even subject to the new Georgia law.
Gilbert T. Schwartz, a partner with the law firm of Schwartz & Ballen in Washington, D.C., said that the hodgepodge of new laws could cause headaches for banks and other companies that operate in multiple states.
"Banks are going to have to keep tabs on who gets what notice, under what circumstance, depending on where they live - and that will be expensive," Mr. Schwartz said. "We may very well end up with a need for some type of federal legislation making notification requirements uniform throughout the country."
Congress is considering several bills, including one authored by Sen. Dianne Feinstein, D-Calif., that would require notification. A host of legislators, among them several prominent Republicans, are expected to introduce similar bills this year.
At a House Energy and Commerce subcommittee hearing on data security Wednesday, Oliver I. Ireland, a partner in the law firm of Morrison & Foerster LLP and a former Federal Reserve Board associate general counsel, urged Congress to act.
Testifying on behalf of Visa U.S.A. Inc., Mr. Ireland said, "The keen interest that states have shown to legislate on the issue of security-breach notification emphasizes the need for a single national standard for security-breach notification in order to avoid confusion among consumers."
Data privacy bills were introduced in 32 states this year, including California, where several pending bills would enhance that state's 2-year-old law. Ten state legislatures adjourned without passing data privacy bills this year, and bills are pending in 16 other states where legislatures are still in session.
The flood of proposed legislation was prompted by a series of widely reported mishaps. In February, ChoicePoint Inc. disclosed that in October it had sold information on 145,000 consumers to fraudsters posing as legitimate businesspeople. The company delayed a public announcement at the request of law enforcement officials.
Soon after that Bank of America Corp., Lexis-Nexis, and the retailers DSW Inc. and Ralph Lauren reported security failures that led to unauthorized access or huge losses of customer information.
Some banking trade groups argued that banks should be exempt from notification laws because they are already subject to reporting guidelines spelled out in the Gramm-Leach-Bliley Act of 1999, which was enhanced by federal regulators in March.
Under these updated guidelines, banks and thrifts must tell their regulators about any compromise of sensitive customer information but have more flexibility in deciding whether to notify customers. If a bank determines that misuse of its customer information has occurred or is reasonably possible, customers should be notified in a "clear and conspicuous manner," the guidelines said.
Banks were included in the initial draft of North Dakota's bill but gained an exemption after convincing lawmakers that they were already complying with federal laws.
"It was truly our good luck that interagency guidance came out contemporaneously" with the North Dakota bill, said Marilyn Foss, general counsel with the North Dakota Bankers Association.
Montana's law gives all companies doing business in that state similar latitude.
Steve Turkiewicz, the president and chief executive of the Montana Bankers Association, said its state's law is a much better alternative to laws like California's, which requires companies to notify customers on their Web sites or through the news media of any security breakdown, even if it is unlikely that customer information would be misused.
"You end up alarming customers unnecessarily," Mr. Turkiewicz said. "And, when a breach of significant consequence happens, the impact of that breach - and subsequent notification - may be diminished."
The Arkansas law is similar to California's in that it requires companies to make security breaches public, though it does provide an exemption to companies regulated by federal laws that provide "greater protection to personal information." Charles Miller, director of government relations at the Arkansas Bankers Association, said while there is no specific carve-out for banks, bankers there are comfortable with the language of the new law.
"If it does start to cause problems, we'll revisit it," Mr. Miller said.
Though Georgia's law is intended to limit the type of company that has to notify customers to "information brokers" such as ChoicePoint, of Alpharetta, Ga., Mr. Schwartz said that it is hard to tell whether the courts would interpret the law's definition of such a broker more broadly to include banks. It defines information brokers as those collecting information for a fee for the purpose of furnishing that information to "nonaffiliated third parties."
"The question will be whether a bank that is sharing information about its customers to joint marketers will come within this definition," Mr. Schwartz said. "This law may have the unintended consequence of bringing in companies that were not intended to be covered."
Michele Heller and Alan Kline contributed to this story.
