Sunday, November 18, 2007

Variation in State Laws: A Problem to be Solved?

Over at the Compliance and Security Connection, there's a post up about potential problems with "The Tangled Web of Data Breach Notification Laws." The post describes the difficulties that had when it experienced a data security breach. According to the post

Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies...The issue is the variation between the different state consumer notification laws.

However, neither the post, nor the article it refers to (link here) explains how the variation in data breach notification laws hurt While the article isn't clear on this point, the fees ended up paying were almost certainly imposed based on's agreements with the credit companies, not on any state data breach notification act. Indeed, many state laws (e.g., Indiana's) are written so that they are enforceable only by an action brought by the state attorney general. Thus, while variation in state laws might be annoying, blaming that variation for fees imposed by credit companies sees a bit unfair.
Similarly, while the post intimated that complying with varying state requirements is more difficult than complying with a single national standard would be, there is no evidence that that is the case. An an analogy, in the area of environmental regulations, California has the authority to enact its own emissions standards, which can be more stringent than those imposed by the EPA. The result, according to automakers, is not a patchwork of different standards - its a single de facto national standard, since a company complying with the more stringent California rules will automatically be in compliance with the less demanding EPA rules (for an article describing some legal consequences of the relationship between California and the EPA, see here). A similar strategy of following the most stringent requirements can be applied to data breach notification laws. For example, by complying with the requirement to notify consumers if there is a breach, a company will automatically comply with a requirement to notify customers if there is a breach combined with a risk of harm.
In general then, I remain unconvinced that variation between state laws presents any real burden. I also think that such variation can be beneficial, as individual states can engage in experimentation to try and appropriately balance the intersts of businesses and consumers. A federal law (such as was called for in the post) might smooth out variation, but it would also cut out the experimentation currently going on between different states - a real drawback that should be considered when evaluating whether such a law should be passed.

Link to the Compliance and Security Connection provided by George Jenkins at I've Been Mugged.

No comments: