Security breach laws become state's rights issue

Federalism questions pepper a Senate hearing on data mishaps. Should states regulate security breaches too?

Declan McCullagh Former Senior Writer

Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.

See full bio

Declan McCullagh

April 14, 2005 6:14 a.m. PT

3 min read

In the wake of a series of high-profile security mishaps, key members of Congress have pledged to crack down on data brokers.

But a Senate hearing on Wednesday showed that important federalism questions--namely, how much flexibility states will enjoy to craft their own rules--remain unresolved.

"Why not pre-empt state laws so these companies know what they're dealing with and don't have to familiarize themselves with the differences" that 50 different state laws could pose, asked Arlen Specter, a Pennsylvania Republican who heads the Senate Judiciary Committee.

On technology topics, Congress frequently sets national rules and prevents states from enacting stricter ones. That's the approach taken by the 2003 Can-Spam Act, which overruled stricter state laws that, in some cases, set "opt-in" rules for bulk e-mail and granted junk e-mail recipients the right to sue spammers. Can-Spam doesn't.

Data breaks

High-profile breaches are finally waking lawmakers up to the need to make sure personal data is securely protected on computers.

LexisNexis: Date: March 2005; Incident: Hackers gained access to databases at LexisNexis' Seisint unit.; At risk: Personal information of about 310,000 U.S. citizens.

ChoicePoint: Date: February 2005; Incident: The data collection company confirmed that information from its consumer database was stolen.; At risk: Names, addresses and Social Security numbers of more than 150,000 Americans.

Bank of America: Date: February 2005; Incident: Bank lost backup tapes detailing the financial records of credit cards held by federal employees.; At risk: More than 1.2 million records in SmartPay charge card program, which has annual transactions totaling more than $21 billion.

PayMaxx: Date: February 2005; Incident: Flaws in the online W-2 service of PayMaxx exposed customers' payroll records.; At risk: Discoverer of the flaws claimed they affected more than 25,000 people. PayMaxx said only a small number of companies were involved.

SAIC: Date: February 2005; Incident: Desktop computers were stolen from the offices of Science Applications International Corp.; At risk: Personal information of current and past stockholders in the government contractor.

William Sorrell, Vermont attorney general and president of the National Association of Attorneys General, asked senators to veer in a different direction this time. "Have your law be a floor rather than a ceiling," Sorrell said Wednesday. "Be respectful of the ability of the states."

State legislators have wasted no time in responding to a series of security snafus involving Bank of America, payroll provider PayMaxx, and Reed Elsevier Group's LexisNexis service. More than 20 states, including New York, Washington, Illinois and Texas, already have proposed responses such as requiring that consumers be alerted if their personal information is disclosed accidentally or improperly.

The data mining companies that are likely targets of regulation aren't exactly clamoring for a crackdown. But they said Wednesday that if new laws are going to be enacted, they'd strongly prefer a uniform federal rule over a state-by-state approach.

"We support a pre-emptive national notification law," Doug Curling, president of ChoicePoint, told the Senate committee. Added Jennifer Barrett, Acxiom's chief privacy officer: "Acxiom supports efforts to pass federal pre-emptive legislation requiring notice to consumers in the event of a security breach, where such breach places consumers at risk of identity theft or fraud."

Some state bills are broader than the possible legislation that Barrett described. A New Jersey measure, for instance, requires notification "if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." There's no requirement that the disclosure place a consumer at risk of identity fraud.

"You have these companies that are going to have to comply with a patchwork of legislation" from states, Specter said. "There's been some thought that this ought to be a matter for federal jurisdiction on lawsuits. I have great reservations about that." One reason for his concern, Specter said, is that residents of rural states may find that the nearest federal courthouse is not exactly nearby.