As prospects of passing consumer-privacy legislation in Congress remain bleak, state lawmakers are picking up the ball and running with it.
At least 32 states have data breach notification laws on the docket this legislative session, according to the National Conference of State Legislatures. Most of those bills are tightening and expanding existing laws.
“As we’ve seen now how breaches work, a lot of the states are realizing it’s time to update what for some of them are decade-old statutes,” says Eduard Goodman, chief privacy officer at CyberScout (which sponsors Third Certainty.)
The Connecticut General Assembly is one of the latest examples. Earlier this month, it changed its breach notification laws to require businesses to notify victims within 90 days and to provide them with at least a year of identity theft protection.
Since California enacted the first breach notification law in the country in 2002, all but three states — Alabama, New Mexico and South Dakota —eventually followed suit. (Alabama and New Mexico have unsuccessfully tried to pass related legislation several times in the past few years.)
Wider definition of PII
Many of the state bills during the current legislative session are expanding the definition of personal information to include things such as biometric and health data. Many states also are requiring notification of the state attorney general, and several are delving into K-12 student data protection.
“These are reactive laws, they’re good in terms of notification, but we also want to see the states setting baseline security standards that companies have to follow,” says Caitriona Fitzgerald, chief technology officer and state policy coordinator for the Electronic Privacy Information Center (EPIC).
Proactive requirements are included in only a minority of state bills. While in some cases that includes a provision for basic encryption, it also could entail something as simple as having a response plan and practicing it several times a year.
One of the challenges is the complexity of the technology, which leads to disagreements over seemingly benign aspects like the definition of cyber security.
“It’s a technical issue and legislators struggle to understand it,” Fitzgerald says.
Although many state lawmakers are modeling their bills after other states, the laws still vary widely around the country. As one example, Florida is the only one requiring notification to consumers within 30 days of breach discovery, while other states have much longer deadlines or no deadlines at all.
Some of the changes may not be for the best. Goodman says he’s seeing the response by companies become driven by compliance rather than a desire to do something meaningful for consumers.
“People are getting overnotified to a point where they don’t give it a second thought,” he says. “They’re getting desensitized. It’s a double-edge sword.”
Capitol Hill not on bandwagon
The momentum in the state Legislatures to tackle data-related bills is not likely to spill over to the federal government, however.
“Congress is much more beholden to special interests and influence,” Goodman says.