States start to set their own bar for data-breach notification
By Rodika Tollefson, ThirdCertainty
As prospects of passing consumer-privacy legislation in Congress remain bleak, state lawmakers are picking up the ball and running with it.
At least 32 states have data-breach notification laws on the docket this legislative session, according to the National Conference of State Legislatures. Most of those bills are tightening and expanding existing laws.
“As we’ve seen now how breaches work, a lot of the states are realizing it’s time to update what for some of them are decade-old statutes,” says Eduard Goodman, chief privacy officer at IDT911 (which sponsors Third Certainty.)
Infographic: State laws step into the breach on data protection
The Connecticut General Assembly is one of the latest examples. Earlier this month, it changed its breach-notification laws to require businesses to notify victims within 90 days and to provide them with at least a year of identity-theft protection.
“Everyone would be happy if there was a federal law because it would be so much simpler,” says Tom Patterson, a security and privacy expert and vice president of global security solutions at Unisys, a global information-technology company. “But in the absence of that, states are taking matters into their own hands and trying to do things to better protect their citizens.”
Since California enacted the first breach-notification law in the country in 2002, all but three states — Alabama, New Mexico and South Dakota —eventually followed suit. (Alabama and New Mexico have unsuccessfully tried to pass related legislation several times in the past few years.)
Lawmakers have a nose for news
The media is one of the drivers behind the momentum. As breaches dominate the news, state lawmakers are taking notice—especially if the news hits close to home.
In Washington state, for example, breaches in recent years have included the Catholic Archdiocese of Seattle and the state’s own Public Disclosure Commission.
“Legislators often react to what’s in the news, and we try to solve that problem,” says Rep. Zach Hudgins, who sponsored a recently passed bill in the Washington Legislature that expands the state’s breach-notification laws, including to paper records.
“There’s momentum because legislators are getting better educated on the issues, and some of the issues are very complex,” says Hudgins, who has worked at Amazon and Microsoft, and is one of few tech industry professionals in the Legislature.
Wider definition of PII
Many of the state bills during the current legislative session are expanding the definition of personal information to include things such as biometric and health data. Many states also are requiring notification of the state attorney general, and several are delving into K-12 student data protection.
“These are reactive laws, they’re good in terms of notification, but we also want to see the states setting baseline security standards that companies have to follow,” says Caitriona Fitzgerald, chief technology officer and state policy coordinator for the Electronic Privacy Information Center (EPIC).
Only a minority of states is including proactive requirements in their bills. While in some cases that includes a provision for basic encryption, it also could entail something as simple as having a response plan and practicing it several times a year.
One of the challenges is the complexity of the technology, which leads to disagreements over seemingly benign aspects like the definition of cybersecurity.
“It’s a technical issue and legislators struggle to understand it,” Fitzgerald says.
Another challenge—and the reason other privacy and security bills are a much tougher sell than breach notifications—is the idea of the government telling companies how to run themselves. Especially when it involves ever-changing technology and lack of standards.
“To get into prescribing security, you have to have some benchmarks, and everything changes so quickly. It’s a slippery slope and a difficult thing to peg down,” Goodman says.
One size doesn’t fit all
Although many state lawmakers are modeling their bills after other states, the laws still vary widely around the country. As one example, Florida is the only one requiring notification to consumers within 30 days of breach discovery, while other states have much longer deadlines or no deadlines at all.
But Patterson says it’s not a real loss of protection, based on what state you live in, but more of a perception.
“The reality is that most companies, if they have to do something for one state, it’s easier to do it for all 50 states than follow individual rules,” he says.
And some of the changes may not be for the best. Goodman says he’s seeing the response by companies become driven by compliance rather than a desire to do something meaningful for consumers.
“People are getting overnotified to a point where they don’t give it a second thought,” he says. “They’re getting desensitized. It’s a double-edge sword.”
Capitol Hill not on bandwagon
The momentum in the state Legislatures to tackle data-related bills is not likely to spill over to the federal government, however.
“Congress is much more beholden to special interests and influence,” Goodman says.
And the topic of privacy, in general, is much more sensitive than breach notification. Patterson notes that there’s big business built around personal data because consumers are willing to trade their information for free things like mobile apps, search engines and social networks.
“You’re paying for it by giving up some of your privacy,” he says. “There’s a lot of big money lobbying against privacy.”
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
Even at the state level, many privacy-related bills die without making it out of committee—as was the case this session in Washington state. Hudgins says if simple bills die in the state Senate, it’s easy to see how Congress would stall.
Another challenge is that federal legislation often preempts state laws—with the current White House privacy bill as a prime example.
“The pressure the feds get is to water down the increasingly robust laws by passing something federally that’s more predictable and easier to comply with,” Goodman says. “For the most part, that weakens the consumer protection pretty substantially.”
Fitzgerald notes that 432 million online accounts were hacked last year and says the problem should be addressed at both state and federal levels.
“As a baseline, the federal government should pass something,” she says. “But anything that the federal government passes should not preempt state laws.”
More on emerging privacy concerns
A call for a data breach warning label
Former FTC consumer chief: privacy regs needed
Use of Verizon ‘zombie cookies’ halted