Businesses scrambling to comply with the dozens of varying state laws governing data privacy and security breaches may have a new ally in California Attorney General Kamala Harris, but they shouldn’t expect her to relax any standards.
In her introduction to the 2016 California Data Breach Report, Harris addressed the concerns of many who have pointed out the inconsistencies and wildly different requirements for handling a breach among the states. Rather than a federal breach law that would preempt the laws of forty-seven states — including the very protective standard in California – the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, Harris proposed that states come to an agreement on certain key points.
“State policy makers should collaborate to harmonize state breach laws on some key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise,” the report recommends.
The report states that federal preemption would be a mistake because it would lower the bar in many states that have robust consumer protection in place with respect to breaches. Instead, there is a pattern to the current “patchwork” of state laws that creates opportunities for winnowing the number of different state requirements. And the report points out that in particular, since the highest standard usually governs in multi-state breaches, states that continue to have high standards will protect consumers in states with lower standards, thereby minimizing the patchwork.
Harmonization of state breach laws would make compliance much simpler for companies, and proposed reforms have included working with the Uniform Law Commission to develop a law on point for the states to adopt. The opposition to a preemptive federal law comes as no surprise following the July 2015 letter that 47 state attorneys general sent to Congress stating this position. The report’s insistence that lowering the bar from California and other states’ high standards is not an option from a consumer protection standpoint indicates that, while businesses may hope for some relief from the panoply of laws, they should not expect the requirements to become more forgiving. As a result, the class actions and government investigations that usually follow data breaches will still have plenty to latch onto.
How the harmonized state laws would look is an open question. We will be following these developments closely and reporting back.