Step Aside, States?

Erik Jonesby Erik Jones

In the fall of 2005, 44 state attorneys general came together to send a joint letter to Congress and share their concerns about a proposed federal law on data breach notification. Such letters are exceedingly rare, as state attorneys general come from competing political parties and states with varied interests. However, nothing brings state government officials together like a congressional effort to limit states’ power to assist their own residents. And that is just what Congress was doing.

At the time, a number of states had already passed their own data breach notification laws, or were in the process of doing so. The state laws were and are popular because they are based upon a simple but powerful argument. When a company suffers a data breach that includes consumers’ sensitive personal information, it should be required to inform the affected consumers so the consumers can quickly take steps to limit any potential fraud or identity theft stemming from the breached information.

In response to a growing number of data breaches in 2005, including an extensive and widely publicized breach suffered by a data broker named ChoicePoint, members of Congress were also pushing bills that would require companies to notify consumers when their sensitive personal information was subject to a data breach. The state attorneys general supported Congress’s effort, as many had championed the same law in their respective states. But to their disappointment, the legislation also included provisions that would nullify existing state laws on data breach notification and prevent states from passing additional laws on the matter in the future. When Congress does this, it’s known as pre-emption. The prospect of pre-emption alarmed the state attorneys general because of its potential negative impact for consumers.

I have now experienced both sides of this debate. I’ve worked at both the federal and state levels, and I’m currently an assistant attorney general for Illinois. And I share the concerns over pre-emption raised by those state attorneys general nearly a decade ago.

Thankfully, these fears have not yet been realized. Congress has failed to pass a data breach notification law, leaving state laws intact. This failure can be attributed, in part, to Congress’s own disagreement over pre-emption. But that may soon change, as the conditions might be right for data security legislation to move in this Congress. A rash of large, costly data breaches has galvanized public interest in the issue. One political party controls both the Senate and the House of Representatives. And President Obama has rightfully put the issue at the top of his agenda.

During a recent speech at the Federal Trade Commission, and again in the State of the Union this week, President Obama called on Congress to pass a national law on data breach notification. For Congress, the challenge will not be deciding whether to pursue such a law, which is widely supported. The difficult part will be determining the role states will play in data security moving forward.

In order to pass a national law on data breach notification, Congress will have to decide what to do about the 47 state laws on breach notification that have already been enacted—only Alabama, South Dakota, and New Mexico do not have laws requiring data breach notification. The president has argued for the need to end, in his wording, this “patchwork” of state laws. But such a move, if done incorrectly, could be a disaster for consumers.

The state laws on breach notification have been critical for consumers. They are the reason consumers were made aware of the significant data breaches that caught Congress’s attention in 2005. And they are the reason millions of consumers were notified of the payment card breaches that Target, Home Depot, and other large retailers suffered more recently. Without the state laws, companies would not have been legally obligated to notify their customers of the breaches.

In their letter to Congress in 2005, the state attorneys general made similar points, noting that “states have been able to respond more quickly to concerns about privacy and identity theft involving personal information, and have enacted laws in these areas years before the federal government.” The state attorneys general also looked to the future and predicted that pre-emption would interfere with “state legislatures’ democratic role as laboratories of innovation.” Time has validated their assertion.

Over the past decade, as states have developed expertise on the issue, they have also updated their laws to address problems and to adapt them to changes in technology. With the growth of cloud computing and e-commerce, Florida and California have included breaches of login information for online accounts as triggers for a notification requirement. In response to the increased use of fingerprint-reading software, Iowa, Nebraska, North Carolina, and Wisconsin have mandated notification if a breach of biometric information occurs. More than 30 states have enacted laws requiring companies to dispose of sensitive data securely, and a number of states are now requiring companies that handle sensitive personal information to develop reasonable data security practices to protect it.

States have also passed laws that require companies suffering breaches to provide notice directly to the state attorney general. Such a requirement, for example, has enabled California to maintain awebsite of data breaches affecting California residents, which any state resident can access. There are thousands of data breaches on the list. Some are national in scope, but most are local or regional in nature and not covered by the national media. The list helps ensure California residents have the opportunity to learn about the data breaches that have affected them.

If Congress had succeeded in pre-empting state law in 2005, it is likely that none of these protections would exist. States would have been precluded from enacting them. And given the difficulty Congress has had passing a simple data breach notification law, Congress would also likely have had a difficult time updating or expanding the law.

For four years I served in various capacities for the Senate Committee on Commerce, Science, and Transportation, while my boss, Sen. Jay Rockefeller, D-W.Va., was working to pass consumer protection legislation on data security and legislation to protect our nation’s most critical infrastructure from cyberattacks. Throughout my time with the committee, I had a front-row seat for the debate over pre-emption.

On one side were the consumer advocates, who were concerned that a weak national law, combined with pre-emption, would mean fewer protections for consumers. On the other side was the business community, which complained that meeting the requirements of nearly 50 separate laws on breach notification was inefficient and burdensome. At the time, I thought I understood the costs and benefits of pre-emption. I now know that I did not.

In 2013 I took a position working for Illinois Attorney General Lisa Madigan. Through it, I have experienced firsthand the important role states play for consumers. State attorneys general hear directly from the residents they serve on a daily basis. In Illinois, thousands of residents have asked our office for help with data security and identity theft. They have not asked that we step aside so that the federal government can handle it.

This year Attorney General Madigan will be proposing a number of updates to Illinois’ data breach notification law. These updates are based upon the lessons we have learned through our efforts to enforce our data breach notification law and consumer protection laws. It would be a shame if we were prevented from using these insights and pursuing these updates, which are designed to protect consumers, because of an overly broad pre-emption provision in federal law.

While a national law on data breach notification is long overdue and very much needed, a perverse outcome is possible, in which Congress pre-empts states and at the same time passes a weak notification law that provides consumers with notice of data breaches only when very specific conditions are met. If not narrowly tailored, a pre-emption provision could place a wedge between consumers and the very state agencies that serve them.

This piece originally appeared in Slate’s Future Tense section.

Erik C. Jones is the policy director and an assistant attorney general in the Illinois Attorney General’s Office and an Adjunct Professor at IIT Chicago-Kent College of Law.


This post also appeared on CKPrivacy.org (archived version)

Improving Defenses: Data Breaches and Security Standards

Richard warnerby Richard Warner

The recent wave of massive data breaches shows that businesses holding sensitive data need to do a better job of protecting it. That has fueled renewed calls to give businesses an incentive to improve data security by promulgating industry or statutory standards. The irony is that the breaches also show that it is extremely difficult for standards—statutory or industry—to sufficiently improve security. Target, for example, complied with all relevant industry standards but was easily breached.

The problem runs much deeper than the usual concern about industry capture. To begin with, standards are often too specific, addressing just a few of the wide range of problems associated with contemporary networks attacks. For example, Target’s point of sale systems were PCI (Payment Card Industry) compliant, but that provided no protection for the rest of Target’s complex network. Further, promulgated standards, no matter how wide reaching, are always behind the curve in the rapidly escalating war of network attack and defense. For example, PCI standards did not, at the time of the Target breach, require that credit card information be encrypted for the milliseconds it took to transfer it from the payment terminal to the network, so the hackers simply recorded the information at that point. Finally, standards are simply a roadmap for attackers. They just tell them what networks guard against and what they probably don’t.

So should we abandon the idea of using statutes or industry standards to give businesses an incentive to improve data security? That would almost certainly be a mistake since market incentives run the wrong way. Consumers have been unwilling to pay for the added value of security through slightly higher retail prices or credit card fees, and companies dependent on consumer sales don’t offer what consumers don’t want. Consumers end up paying even more to cover the high cost of data breaches, but that fact has not created any “pay more for security” reaction.

So the task is clear: formulate standards with sufficient detail to provide genuine guidance but with enough flexibility to encourage innovation and keep pace with rapid change. It is just the solution that eludes us.


This post was originally published on CKPrivacy.org (archived link)