Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.
Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.
I never used to be a fan of federalism, but in following information privacy law, I’ve found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.
The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act — not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to “protect” our privacy.