House Panel Hears Call for Federal Breach Notice Law to Preempt States

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin  


A federal data breach notification law is needed to provide a single, reasonable, streamlined process to preempt the mix of data breach notice requirements in 46 states and the District of Columbia, several online industry professional groups told a House panel July 18 in the latest round of a decade-long debate.

But one academic on the witness panel at the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade hearing argued that fully preempting the network of state laws providing regulatory oversight and enforcement would undercut consumer protection.

A Decade of Discussion Continues

In 2002, California passed the nation's first statute requiring covered entities to notify individuals when their personal data are breached (1 PVLR 1180, 10/7/02).

Congress began considering whether federal law should override state breach notice laws soon thereafter in the 108th Congress when Sen. Dianne Feinstein (D-Calif.) introduced a bill (S. 1350) modeled on the California law that would have preempted state breach notice laws (2 PVLR 749, 7/7/03).

The first widespread interest in breach notice issues came, however, in the 109th Congress in the wake of a breach acknowledged by ChoicePoint Inc., one of the largest consumer data brokers, in which it sent 35,000 letters to Californians and 110,000 letters to people in other states, notifying them that criminals had fraudulently accessed their personal information and used it to perpetrate identity theft crimes (4 PVLR 197, 2/21/05).

In its background memorandum for the hearing, the subcommittee noted that it had been involved in considering data breach notification issues since 2006, when its then-chairman Rep. Cliff Stearns (R-Fla.)--who has since departed Congress--introduced the Data Accountability and Trust Act (H.R. 4127). That measure passed the full Commerce committee in 2006 but did not move on the floor (5 PVLR 459, 4/3/06).

Subcommittee ranking member Jan Schakowsky (D-Ill.) noted that the most recent flurry of concentrated congressional interest in a potential federal breach notice law happened in 2011, in the wake of large breaches reported by Sony Network Entertainment International and Epsilon Data Management LLC (10 PVLR 835, 6/6/11) and Citigroup Inc. (10 PVLR 875, 6/13/11). “Little has changed since then,” she said.

On June 20, the latest in the long line of federal breach notice bills seeking to preempt state laws (S. 1193) was introduced in Congress (12 PVLR 1106, 6/24/13).

Small Business Concerns

In his opening remarks, Chairman Lee Terry (R-Neb.) stressed that breach notification to affected consumers carries cost concerns for companies, particularly smaller businesses. He pointed to a recent breach incident faced by an unnamed small business that affected only about 500 individuals but required the business to figure out the breach notice laws in 44 different states in which those individuals resided.

Dan Liutikas, chief legal officer for the Computing Technology Industry Association, told the panel that implementing a single federal standard is “especially important” for small and medium businesses (SMBs) “because many of these firms do not have the requisite in-house expertise to thoroughly understand” the various state breach notice laws.

“Streamlining this process promotes robust compliance and serves as an incentive to SMBs to expand their businesses across jurisdictions,” Liutikas said.


“Limiting states' rights to impose liability for information security misconduct will further erode consumer trust and damage innovation in the United States.”




Andrea M. Matwyshyn, Assistant Professor,
Legal Studies and Business Ethics,
University of Pennsylvania's Wharton School

Debbie Matties, vice president of privacy for CTIA-The Wireless Association, said that the lack of a single federal standard “creates an unnecessary distraction for companies” that need to work to stop a breach, evaluate its damage, and correct vulnerabilities. “But these time-sensitive activities are hampered,” by the need to sort through the notice requirements of the patchwork of state laws, she said.

Jeff Greene, senior policy counsel for cybersecurity and identity at Symantec Corp., said any federal standard should include an exemption from notification for covered entities that employ technology to ensure that leaked information is unreadable or unusable.

Including such an exemption will assist in “preventing false positives” that result in over-notification of consumers, he said, noting that adding data security requirements, such as encryption rules, would ensure a focus on the pre-breach environment rather than simply on post-breach notification.

Kevin Richards, senior vice president for federal government affairs for TechAmerica, told the panel that a federal standard should cover only “sensitive personal information” and require notification only if there is a “substantial risk of harm” from the breach to an individual.

Role for Federal Trade Commission?

Andrea M. Matwyshyn, assistant professor of legal studies and business ethics at the University of Pennsylvania's Wharton School, agreed with other panelists that some sort of unifying federal baseline standard could be useful, but took a largely contrary view in her testimony on whether it should preempt state laws or include exemptions.

She also said that state law “[e]ncryption exemptions are not useful” because they are “plagued with definitional ambiguities that confound technologists and compliance personnel.”

Although she suggested that a central repository of data breaches reported to and maintained by the Federal Trade Commission would be a good idea, she emphasized that states should be able to maintain and enforce their breach notice regimes.

“Limiting states' rights to impose liability for information security misconduct will further erode consumer trust and damage innovation in the United States,” she said.

David Thaw, visiting assistant professor of law at the University of Connecticut School of Law, agreed with much of Matwyshyn's comments, including the maintenance of a breach notice registry by the FTC.

He suggested that the FTC be involved in a “bifurcated process,” in which the commission would be notified of all or most breaches and information would be available but direct notification of individuals would be required only in some instances.

The industry panelists agreed that if a federal regulator were named to handle consumer breach notice issues, the FTC should be that agency. They also acknowledged that jurisdictional limitations on the commission's power would mean that other federal regulators, such as the Federal Communications Commission and the Department of Health and Human Services, should continue to have a role in breach notice issues.

Risk of Harm Standard

The industry association panelists all called for some sort of risk of harm threshold for when breach notification is required.

Matwyshyn argued for a threshold for breach notification that would eschew a risk of harm standard, instead saying that breaches should be reported for “unauthorized access of any protected information connected with a consumer login credential.”

In response to a question from Subcommittee Vice Chairman Leonard Lance (R-N.J.) on whether any kind of risk standard should apply, Matwyshyn said that a showing of “actual harm should not be required.”

Thaw agreed that even a “substantial risk of harm is too high,” noting that under that standard, consumers in civil data breach litigation have been unable to successfully demonstrate harm from a breach sufficient to confer standing.

Thaw urged “that if a risk-of-harm threshold is adopted for consumer breach notification, an affirmative presumption of notification be implemented.”


Further information on the hearing, “Reporting Data Breaches: Is Federal Legislation Needed to Protect Consumers?,” including links to prepared witness testimony, a committee background memorandum, and an archived webcast of the hearing, is available at


Request Bloomberg Law: Privacy & Data Security