Data Security Laws, the States, and Federalism
Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.
Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.
I never used to be a fan of federalism, but in following information privacy law, I’ve found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.
The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act — not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to “protect” our privacy.
Since it is so hard to get Congress to do or change anything, and since Congress seems to respond less to the problems of the people and more to the problems of companies, perhaps there’s a small oasis in the states where good laws can get passed, where things can still get done. The pathologies that affect Congress certainly affect state legislatures too, but it seems to me to be less so. Congress is so swept up in the national party politics and posturing that it seems almost totally crippled and unable to do anything.
Of course not all state laws are perfect. According to an article at stateline.org, “only 21 of the 32 states with breach notification laws impose the requirement on government agencies. The 11 states with breach notification laws that don’t apply to government agencies are Colorado, Connecticut, Delaware, Georgia, Maine, Minnesota, Montana, North Carolina, North Dakota, Texas and Utah.” But despite these problems, the states, and not Congress, are the true friends of protecting privacy.
Increasingly, I’ve really warmed up to federalism. It’s great to have a federal rule when it is one you agree with, but not so great when you don’t like it and it undoes your state’s better laws.