Data Breach Bill: Aiming Toward a National Notification Standard

Current Status of Data Breach Notification Laws

June 1, 2015

All but three states have unique data breach notification laws. On a practical level, this means that when a company doing business in multiple states faces a breach of personal information, it must work to comply with state laws that may differ in terms of the timing, content and method of the notice.

Such companies may face sizable fines, penalties and lawsuits if they fail to comply with the myriad patchwork of state laws. Thus, a federal uniform data breach notification standard could decrease some of the expense and woes for businesses that arise from data breach notification.

Recent legislation

Recently, the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade passed a bill authored by Reps. Michael Burgess (R-Texas), Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.). The bill, known as the Data Security and Breach Notification Act, is an attempt to create a federal uniform data security and breach notification standard.

The bill would require businesses to implement and maintain “reasonable” security measures to protect personal information. Under the proposed legislation, businesses would have discretion as to “whether there is a reasonable risk of harm” to a consumer that would require notification of a breach. The harm to be considered would be identity theft, economic loss or economic harm, or financial fraud.

The legislation would expressly pre-empt related state laws. It does not specify what constitutes “reasonable” security measures or “reasonable risk” of harm.

Future outcome

It is unclear whether the bill will ultimately be passed by Congress and signed into law by the president, but in any event, this is an issue that is top of mind for lawmakers and, if the influx of recent data breaches is any indication, is likely to have a future.