The rash of recent accidental and other data disclosures (I’ve posted on these issues on many occasions recently – see here for a series of related posts) has triggered new laws in several U.S. states that require, among other things, notification to affected persons of disclosure.
WaPo covers the waterfront in an article today, and Geoffrey Gussis links to a Proskauer Rose article that, like the MoFo article I linked to via Geoffrey a little while ago, explores the issues in considerable detail.
The Wapo piece speculates that with the States potentially creating a patchwork of legislation, Congress may step in and pre-empt state laws:
But taken together, the state laws may backfire as businesses lobby Congress to enact new — and most likely less stringent — federal statutes to preempt what critics say is quickly amounting to a patchwork of disparate, confusing and costly new regulations.
“It’s really hard to defend against these types of laws. No [state lawmaker] wants to be on record saying, ‘Maybe this is a bad idea,’ because they’re going to get beaten up and cast as not caring about consumers,” said Stewart Baker, a partner with Washington, D.C.-based law firm Steptoe & Johnson. “But to the extent that all of these state laws deviate from the California statute, they create a massively confusing situation in which businesses have to go state by state to figure out what their obligations are to consumers.”
Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the most stringent law.
Currently that state is North Dakota, where in April Gov. John Hoeven (R) signed a law that goes far beyond the California statute in its classification of what constitutes “personal identifying information.” Beginning today, companies doing business in the state will be required to disclose a data theft if the company loses track of any customer information — including information not generally considered “private,” such as names, addresses or telephone numbers.