State Attorneys General Caution Against Federal Data Breach Laws
July 9, 2015 in News
On Tuesday, a group of 47 state attorneys general sent a letter to congressional leaders asking that any federal data breach notification law not pre-empt similar state laws already in place, Health Data Management reports (Goedert, Health Data Management, 7/9).
Several data breach notification bills are pending in the House and Senate, such as:
- HR 1560, which aims to encourage companies to allow federal cybercrime investigators access to their computer networks and records;
- HR 1731, which would require private-sector companies to send their information first to the Department of Homeland Security; and
- HR 1770, which would create a national data breach policy (iHealthBeat, 4/23).
Last month, lawmakers combined HR 1560 and HR 1731, and lawmakers said they plan to work with the Senate — where similar legislation (S 754) also is pending — to create a compromise measure.
Although the efforts are not geared specifically toward health care, they touch on areas of interest to the industry (Schulze, iHealthBeat, 6/4).
In the letter to House and Senate leaders, the attorneys general wrote, “Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.”
The attorneys general also cited a similar letter in 2005 that argued pre-emption “interferes with state legislatures’ democratic role as laboratories of innovation. The states have been able to respond more quickly to concerns about privacy and identity theft involving personal information and have enacted laws in these areas years before the federal government.”
The lawmakers noted that several states in recent years have enhanced breach notification laws with additional protections, including requiring notification for:
- Compromised biometric data;
- Login credentials for online accounts; and
- Login credentials for medical information.
They wrote, “Our constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns. Toward that end, it is important that any federal legislation ensure that states can continue to enforce breach notification requirements under their own state laws” (Health Data Management, 7/9).