Jul 31, 2019

The State of State Data Laws, Part 1: Data Breach Notification Laws

A few weeks ago, Equifax settled with federal and state regulators to pay up to $700 million in damages and penalties from the 2017 data breach involving the personal information of millions of Americans.

This is far from the only time data security and privacy have been in the news. Just this week, Capital One announced a major breach that exposed the data of 106 million customers and applicants. From privacy for social media and search to security for government organization and infrastructure, it seems hardly a week goes by without a data-related scandal.

While Congressional lawmakers debate possible federal legislation on data privacy and security, some states are pursuing their own new policy actions.  Lacking a federal law, the current patchwork of state laws has both benefits and shortcomings.

This piece, focusing on data breach notification laws, is the first in a series examining state actions and debates on data issues, as well as the potential benefits or consequences (or both) of a state-level approach to these issues. Future essays will consider state-level general consumer data privacy laws, state policies concerning specific types of information such as biometrics, and regulations concerning government data security and use of data.

The news of Equifax-like breaches often worry customers about adverse financial consequences such as identity theft. Some legal scholars argue that any breach harms users, regardless of whether the exposed data are abused by malicious actors or not. Either way, data breach notification laws that require companies to tell customers when data have been exposed are intended to enable consumers to make choices about what to do when such events happen and protect themselves if their information was compromised.

Beginning with California in 2003, all 50 states have enacted some form of data breach notification laws. This approach means consumers will be notified in the event that certain information is wrongly exposed. However, these laws vary significantly on important factors including: who is covered, what data are covered, how notifications should occur, and how long the breached entity has to provide that notification. In general, however, these laws are an important step in empowering consumers to take appropriate action based on their own level of concern following a breach.

While these laws help provide awareness for affected consumers, they are not without their own potentially adverse consequences. For example, as Andrea O’Sullivan has pointed out, basing notification windows on when a company learns of a hack could actually discourage better cybersecurity by dissuading the use of more active monitoring techniques that might make a company aware of a hack sooner.

Additionally, if consumers continually get notifications about breaches, fatigue may set in and consumers may become complacent about best practices after a breach, such as changing passwords or checking their credit reports.

The patchwork approach also has its own unique consequences for innovators and consumers. Companies subject to multiple state laws may find it easiest to comply with the most restrictive law rather than develop different systems or standards for each variation. Consumers may also be uncertain regarding their rights under different statutes.

Attempts to create a federal data breach law to harmonize this patchwork have been unsuccessful.  State policymakers or enforcers often wish to retain and expand the specifics of their own policy rather than succumb to federal preemption. States that are more restrictive rarely want to agree to a solution that would reduce what they view as necessary protections. A poor federal policy could, in fact, make things worse by accidentally creating a mosaic of the worst elements of different policies in an effort to protect various states’ interests.

The current state-by-state approach to data breaches illustrates that while a patchwork may provide a solution, it can also create additional problems for both consumers and covered entities. Still, states have successfully provided notification requirements so that all consumers can determine appropriate next steps.

While a federal approach might be preferable in providing certainty and uniformity, it might also exacerbate unintended consequences for cybersecurity, consumers, and innovators. Policies at any level need to consider how to balance the needs and choices of consumers with the incentives and realities of innovators subjected to these regulations.

Photo credit: Drew Angerer/Getty Images.

Support Mercatus

Your support allows us to continue bridging the gap between academic ideas and real-world policy solutions.Donate