Federal Preemption in the Area of Data Security Breach Laws - an update from Jeff Jinnett

As we have noted in previous postings on this weblog, there appears to be an increasing trend toward the federalization of regulatory areas impacting the financial services industry. Thus, the legislation to create a new Consumer Financial Protection Agency (CFPA), which passed out of the House Financial Services Committee on October 22, 2009  includes a provision to preempt contrary state laws under certain circumstances, such as where the state laws would significantly interfere with a national bank’s ability to do business.  In the area of data security breach laws, a similar trend appears to be emerging.

With respect to the obligation to make disclosures to the individuals whose personal information was not kept confidential, over 45 states have enacted data security breach laws that require such a disclosure.  The California data security breach notification law (SB 1386) , which was one of the first state data breach security laws, requires “a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." An important exception to the requirement to notify of a data breach under the California law (and various other state laws) is if the personally identifiable information was encrypted. This is an example of how critical information technology can be to either complying with a new law and/or securing an exemption from the new law.

In addition to these state laws, there are a number of U.S. federal laws that impose disclosure obligations on specific types of regulated companies. For example, public companies filing with the U.S. Securities and Exchange Commission (SEC) have an obligation under Regulation S-K  to disclose information to shareholders that materially negatively impact the company, such as a material impairment to the goodwill of the company. This type of disclosure would normally be made in a Form 8-K, but could also be required to be made in the annual report on Form 10-K. For example, during the Y2K years, the SEC required public companies to describe their potential risks from the Y2K problem and their ongoing Y2K programs, if the Y2K risk was deemed to be a material risk for the companies (See https://www.sec.gov/interps/legal/slbcf5.htm).  The SEC also has proposed an amendment to Regulation S-P  affecting companies subject to the Gramm-Leach-Bliley Act that would impose additional disclosure obligations in the case of loss of consumer private information. As interpreted by one law firm:

“[F]irms must establish procedures to provide prompt notice to affected individuals if a data security breach has occurred or is reasonably possible. The Commission did not provide guidance on what is meant by ‘reasonably possible’ but is seeking comment to determine if this threshold for notice is appropriate or whether there should be an alternative threshold for notice. The Commission indicated that it did not want to trigger notice ‘in every instance of unauthorized access or use, such as if an employee accidentally opened and quickly closed an electronic account record,’ because otherwise ‘individuals could receive an excessive number of data breach notifications and become desensitized to incidents that pose a real risk of identity theft.’  If a data security breach results in substantial harm or inconvenience to an individual or an unauthorized person has intentionally obtained access to or used sensitive personal information, notice must also be provided to the Commission (or, for certain broker-dealers, their designated examining authority). The Commission believes this trigger for regulatory notice will conserve ‘administrative resources by allowing minor incidents to be addressed in a way that is commensurate with the risk they present’.” (See https://www.bingham.com/Media.aspx?MediaID=6636)

There are also certain U.S. federal laws that require notification in the event of personally identifiable health information, such as under the HITECH Act.  The HITECH Act’s notification requirements for breaches of unsecured protected health information apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must compromise the security or privacy of such information. The U.S. Department of Health and Human Services (DHHS) has issued guidance that lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the DHHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements. It should be noted, however, that these breaches may still be subject to state law notification mandates.

Over the past few years, the U.S. Congress has considered a number of bills that would create a federal data security breach law that would preempt contrary state laws. For example, on April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act . The “Data Accountability and Trust Act” would implement uniform federal breach notification requirements and preempt the various state laws requiring notification.

Data security breach laws are an example of the need for regulated companies to become adept at understanding the intersection between U.S. federal and state laws and regulations and the information technologies that can help them confirm compliance and/or exemption from coverage with respect to such mandates.