Wednesday, January 6, 2016

CRS Report - Data Security & Breach Notification Legislation: Selected Legal Issues

Thanks to our friends at the Federation of American Scientists, the recently issued Congressional Research Service (CRS) report entitled Data Security and Breach Notification Legislation: Selected Legal Issues has been made available.  (21 Pages)
This is a focused report providing a review of the following:

  • Proposed Legislation introduced in the 114th Congress on Data Security and Breach Notification
  • Discussion about State Data Breach Laws (very brief)
  • Legal Analysis of:
    • Preemption of State Laws, Regulations, and Claims should Federal Law(s) be Passed in this Area
    • Agency Enforcement of Data Security and Breach Notification Requirements
Some interesting takeaways from this report:

1) 47 US States, the District of Columbia, and three US territories (Guam, Puerto Rico, US Virgin Islands) have enacted data security laws.

2) Alabama, New Mexico, and South Dakota have not enacted breach notification laws.

3) Massachusetts has issued regulations requiring persons who own or license personal information about a Massachusetts resident to "...develop, implement, and maintain a comprehensive information security program..." (201 Mass. Code Regs. 17.03(1))  Such a program must be in writing and contain administrative, technical and physical safeguards appropriate to the size and type of business, available resources, and amount of stored data.  Businesses must also conduct an annual review of security measures.
4) (Excerpt on Federal Preemption of State Data Security Laws - Page 15 )

5) (Excerpt on Agency Enforcement - Page 19)

Overall, this is an interesting read on the implications of possible Federal legislation in the domain of data breach laws primarily addressed by US state laws.