State Attorneys General Tell Congress – Don’t Preempt Our Breach Notification Laws!
Wednesday, July 8, 2015
State Attorneys General Tell Congress – Don’t Preempt Our Breach Notification ";s:

Related Practices & Jurisdictions
Print Mail Download i

In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years – big breaches, flurry of bills in both houses of Congress, bills die… big breaches, flurry of bills in both houses of Congress, bills die…

A sticking point for this legislation now and in past years is whether a federal law should preempt state notification laws. In a letter signed by the Attorneys General of every state that has a data breach notification law (that is, 47 state Attorneys General), the National Association of Attorneys General tells Congress to let states continue to address this issue. It does not appear that the NAAG is necessarily opposed to a federal data breach notification law or data security standard, it just prefers that “a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.”

However, many consider the matrix of state laws to be confusing and a barrier to a streamlined notification process that a uniform federal standard might bring. There is some merit to this. For example, the notification law in Massachusetts prohibits businesses from describing the circumstances of the breach in the notification letter. However, the notification laws in many other states require the letter contain a brief description. Also, some states such as New Jersey require notification to a state agency before notification is made to affected individuals, while other states do not have such a requirement. A third example is that many state laws have a “risk of harm” trigger; that is, a provision that says, in essence, notification is not required if there is not a significant risk of harm to the affected persons. The language in these provisions, however, varies considerably, making it difficult for a business to apply those provisions in a multi-state breach.

The debate certainly will continue. But what is important for businesses large and small is that they have a plan to respond to a breach, and practice that plan. Most companies will experience a data breach affecting personal information and, whether driven by federal and/or state laws, will likely have to notify affected persons. Preparation is critical, and here are some questions businesses, particularly small and mid-sized businesses should be asking:

  • Who are the key people in the organization that would be in the best position to drive the breach response?

  • Do employees know what a data breach is and where to report one?

  • Does the company have vendors lined-up in the event there is a breach?

  • Does our IT team have the appropriate expertise – they manage our systems, and IT equipment, but do they know data security, forensics, etc.

  • Who should we call first if we suspect we have had a breach?

  • Do we have to bargain with the union about our plans for dealing with breaches involving employee data?

  • Is there an insurance policy that might cover some of the costs?

  • Do we have a plan for addressing media attention?

  • Do we have any contractual obligations in connection with a breach? Will this affect our government contract? Have we met our payment card obligations (PCI compliance)?

  • Are we prepared to have our data privacy and security safeguards and written policies scrutinized by a federal or state agency?

  • What steps should we be prepared to take to mitigate potential harm following a breach?

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

CBP Proposes Changes to Arrival and Departure Record, ESTA Systems
by: Carla Josephine Stenzel
A Deepfake of a Baltimore High School Principal Raises Significant Employment Issues
by: Joseph J. Lazzarotti
Live from Workplace Horizons 2024 — Episode 3: What Employers Need to Know About Being Compliant, Inclusive and Proactive [Podcast]
by: Felice B. Ekelman , Laura A. Mitchell
Tips for Restaurants, Retailers When Faced With Sabbath Day Requests
by: Andrew F. Maunz
Understanding Maryland’s New Wage Posting Law: A Guide for Employers
by: K. Joy Chin
Live from Workplace Horizons 2024 — Episode 2: What Employers Need to Know About Litigation and Investigations [Podcast]
by: Stephanie L. Adler-Paindiris , Lisa Barnett Sween
Live from Workplace Horizons 2024 - Episode 1: What Employers Need to Know About Keeping Your Workplace Safe, Drug-Free, and Productive [Podcast]
by: Emily S. Borna , Matthew F. Nieman
Digital Nomad Visas Offered by Italy, Japan
by: Minnie Fu
Top Five Labor Law Developments for April 2024
by: Jonathan J. Spitz , Richard F. Vitarelli
Utah Expands Employee Religious Protections
by: M. Christopher Moon

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins