Skip to content Skip to navigation

Why Isn't There A National Security Breach Notification Law?

June 13, 2008
by Reece Hirsch
| Reprints

Earlier this month, a parade of healthcare industry representatives and consumer privacy advocates offered testimony at a House panel hearing on bipartisan draft health information technology legislation. One of the topics discussed was the draft legislation's provisions that would impose standardized security breach notification requirements on all HIPAA covered entities and business associates. Marc C. Reed, executive vice president of human resources for Verizon Communications, told the committee that the creation of a single federal data breach notification standard would relieve the burden currently imposed on national companies that must comply with a patchwork of state security breach notification laws.

In advising national companies in responding to security breach incidents, I can attest that among the first things a company must do are (1) identify the states in which the individuals affected by the breach reside; (2) find out if those states have passed security breach notice laws; and (3) determine what the "highest common denominator" is for compliance with all applicable state laws. This process would be simplified and rationalized if there were a federal security breach notification law.

Ever since the landmark ChoicePoint security breach in 2005, competing security breach notification laws have been kicked around on Capitol Hill but (shockingly) nothing has been accomplished. Obstacles to these new laws have included: (1) competition between committees championing their own security breach bills in the House and Senate; (2) deciding on the extent to which existing state security breach laws should be preempted; and (3) differences regarding the appropriate "trigger" for notification.

Consumer privacy groups are largely satisfied with this patchwork approach, which ensures that companies comply with the "highest common denominator." Even some industry representatives are resigned to the status quo. At the RSA conference in San Francisco in April, Mike Zaneis, VP of Public Policy for the Interactive Advertising Bureau, said, "You've got almost comprehensive coverage with state laws so there is not much of an impetus for national legislation. We had a real opportunity three years ago after the ChoicePoint data breach, but we sort of missed the bus a little bit."

Many national companies responding to security breaches and attempting to make sense of more than 40 differing state notification laws continue to feel that there is a strong impetus for national legislation. I, for one, am hoping that Congress will get past its inter-committee skirmishes and craft a sensible federal security breach notification law. To extend Mr. Zaneis' analogy, I would say that the bus hasn't left the station, but is stalled in the garage. Perhaps it just needs a jump-start. Okay, I'm going to stop now ….

Topics

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...