Data Security and Breach Notification Legislation: Selected Legal Issues (CRS Report for Congress)
Premium Purchase PDF for $24.95 (24 pages)
add to cart or
subscribe for unlimited access
Pro Premium subscribers have free access to our full library of CRS reports.
Subscribe today, or
request a demo to learn more.
| Release Date |
Dec. 28, 2015 |
| Report Number |
R44326 |
| Report Type |
Report |
| Authors |
Dolan, Alissa M. |
| Source Agency |
Congressional Research Service |
Summary:
Recent data breaches at major U.S. retailers have placed a spotlight on concerns about the security of personal information stored in electronic form by corporations and other private entities. A data breach occurs when data containing sensitive personal information is lost, stolen, or accessed in an unauthorized manner, thereby causing a potential compromise of the confidentiality of the data. Existing federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the Gramm-Leach-Bliley Act, impose security and breach notification requirements on specific industries or types of data. Additionally, 47 states, the District of Columbia (D.C.), and three territories have enacted laws requiring breach notification, while at least 12 states have enacted data security laws, designed to reduce the likelihood of a data breach. Alabama, New Mexico, and South Dakota have not enacted breach notification laws.
Several data security and breach notification bills have been introduced in the 114th Congress, which broadly would impose security and notification requirements on businesses regardless of industry sector, with limited exceptions. This report begins by describing the common elements of these federal proposals and then discusses state laws that may apply in the event of a data breach.
The report then addresses two legal issues that may arise in consideration of new legislation about data security and breach notification. First, how would new federal legislation alter the application of existing state law or the availability of state law remedies for victims of data breaches? The report will discuss various forms of federal preemption (including express preemption, implied impossibility preemption, and implied obstacle preemption) and evaluate how a reviewing court might apply these preemption principles to federal proposals to determine which state laws would be superseded.
Second, the report examines the existing jurisdiction and enforcement authority of the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) with regard to data security and breach notification requirements. This section analyzes the FTC's unfair or deceptive acts and practices authority under the Federal Trade Commission Act and the FCC's authority to regulate data security and breach notification for common carriers and cable and satellite providers under the Communications Act. Finally, it evaluates how the current federal proposals would change the enforcement responsibilities of each agency, potentially increasing the jurisdiction of the FTC and limiting the FCC's ability to enforce its existing data security rules.
