Graves Concerns

Senator Dianne Feinstein re-introduced her federal data breach notification bill this week. This is the Senator’s fourth attempt to pass a data breach bill, having introduced similar bills in 2003, 2005, and 2007.

The bill looks at lot like Sen. Feinstein’s previous bills. Most importantly, this year’s bill, like previous bills, would preempt state data breach laws. That would be good for businesses, who currently have to track forty-seven data breach notification laws enacted by states, the District of Columbia, and two territories. A federal data breach notification law would replace all these different laws with a single standard for notification. Consumers, however, might be better off without a national breach notification law, because companies usually comply with whichever state law demands the most of them, rather than adjusting their notifications by state. A federal data breach notification law therefore has to be carefully written so that it doesn’t end up reducing consumer protection.

Preemption is almost certain to be part of any national data breach notification law. Only 6.7% of Americans live in states without data breach notification laws, and they probably get breach notifications as a side effect of other states’ laws. So a national law is no longer necessary to ensure notification, but it could still be used to create uniform requirements—which means preemption.

Sen. Feinstein’s previous bills didn’t get far, even when TJX and Choicepoint were in the news. This year, we have no data breach poster child, and lots of other priorities. It’s a new Congress and a new administration so anything could happen, but unless there’s another big public breach I’d be surprised if this bill gets much attention this year.