The constant but healthy tension between state and federal government surrounds many hot-button issues: healthcare, gay marriage, the death penalty. While the first two have been decided by the federal government, the last one — for now — is dependent on state decision. A even though cybersecurity has not been as widely discussed, it comprises yet another subject straddling that fine line between jurisdictions.
Attorneys general from all states, with the exception of Colorado, Oklahoma, Texas, Wisconsin and Wyoming, signed a letter to congressional leaders on July 7 requesting that any bill passed by the House and the Senate not undermine states' rights in determining how each will handle security breaches.
"Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft," the letter reads. "States are the front line in helping consumers deal with the repercussions of a data breach."
However, three of the states whose attorneys general signed the letter lack any sort of security breach law: Alabama, New Mexico and South Dakota. This means that those states are not required to notify consumers that their personal data may have been compromised.
The federal government has attempted to remedy that problem. In January, President Barack Obama introduced the Personal Data Notification and Protection Act, which is geared toward helping create a standard procedure for notifying people if their data has been breached.
Under the proposed act, the government would be required to let the affected person know of the compromise via letter, phone call or email within 30 days, unless a reasonable extension is permitted.
But some see weaknesses in the proposed law. The Center for Democracy and Technology, a Washington-based nonprofit whose main work focuses on Internet security, expressed concern that the act preemption clause was "quite broad, eliminating all state laws that are related to data breach — even notification laws that cover data sets not covered by the legislation."
The congressional letter sent by the attorneys general highlights the need for states to be primarily in charge of handling data breaches affecting people within their borders.
"If states are limited by federal legislation, we will be unable to respond to their concerns," the attorneys general say in their letter. "Too many breaches occur for any one agency to respond effectively to all of them. Some breaches will be too small to be a priority at the federal level, yet such breaches could have a large impact in a particular state or region. State attorneys general must have the authority to investigate such breaches, and they should be able to continue to require notification to their offices."
Thirty-two of the 47 states with data breach notification laws proposed bills this year that would tack on additional requirements to existing state laws. For example, many states proposed that companies be required to report jeopardized data to a central state agency, like the attorney general. This update would fall in line with what the letter from the attorneys general is after.
The problem? Some of those bills have failed or are pending. Alabama, Arizona, New Mexico and Virginia all rejected bills instating a notification process, while South Dakota did not create a bill at all. For the rest of the states, those bills are still mired in legislation.
While state governments grapple with how to legislate security notifications, breaches themselves continue to pop up in the private and public sector. The Office of Personnel Management was hacked in June, exposing the personal data of up to 18 million people. Perhaps one of the more famous examples is the massive data breach at Target in 2013, in which 40 million customers had credit and debit information stolen.
The point of all this? Data breaches are not slowing down, they are becoming more sophisticated and widespread. Regardless of who is ultimately going to take charge of breach notifications — whether it be the federal or state government — the notification process needs to shorten the gap between when breaches happen and when the people affected are alerted.
But if the Supreme Court's gay marriage decision has showed us anything, it's that the ever-present tension between state and federal governments often creates an impasse.
To fix this, other tactics are being tried in an attempt to compromise. Representative David Cicilline, D-R.I., presented a bill on July 7 that serves as a companion to Senator Patrick Leahy's Consumer Privacy Protection Act. While Cicilline's bill is similar to many others in that it requires consumers to be informed within 30 days if their data is compromised, it differs in its approach to state government. Under this bill, state governments would not be required to abide by a blanket federal rule.
Whether this compromise will be the key to better breach notification laws remains to be seen. It is currently only backed by Democrats, leaving Republican representatives concerned about whether it is still giving the federal government too much power. Meanwhile, data breaches will continue to put businesses and consumers at risk.