IV. THE PUSH FOR FEDERAL LEGISLATION TO UNIFY A NOTICE STANDARD AND ADDRESS THESE CONCERNS
The best path forward to address these concerns may be the implementation of a federal data breach notification standard. Sectorial federal notification requirements are in place, depending on the industry, with the granddaddy of such legislation being the Health Insurance Portability and Accountability Act of 1996 (HIPAA).36 Harmon concludes that “[t]he federal government is best situated to implement these
34. 2021 Security Breach Legislation, NAT’L CONF. OF ST. LEGISLATURES (Jan. 12, 2021), https://perma.cc/V79D-FR8H (describing common trends in state data breach notification legislation).
35. Id.
36. Pub. L. No. 104-191, 110 Stat. 1936 (1996); see 45 C.F.R. pt. 164 (2022). Even with HIPAA, challenges remain with regard to the definition of access in light of new technologies. See 45 C.F.R. § 164.402 (2022) (defining breach as the “acquisition, access, use, or disclosure of protected health information”).
changes by issuing its own data breach notification law, both because of its broad jurisdiction and because of its better access to relevant information on the state of technological advancements.”37
While data breach notification bills continue to be proposed at the federal level, none have advanced far in Congress, and they primarily address unifying requirements and notification timelines rather than access and evolving technologies.38 For example, Senators Warner, Rubio, and Collins proposed the “Cyber Incident Notification Act of 2021”39 which required certain covered entities to report cyber intrusions or potential cyber intrusions, within twenty-four hours. However, notably missing was a definition of cyber intrusion, which the Bill left up to rulemaking authorities.
Federal legislation aimed at addressing these concerns would be welcome but should equally be built with the flexibility to withstand emerging cyber incidents and technology.
37. Harmon, supra note 1, at 514.
38. See Maria Korolov, Pressure Grows for Federal Data Breach Legislation, DATA CTR. KNOWLEDGE (June 22, 2021), https://perma.cc/YDU4- WBES.
39. S. 2407, 117th Cong. (2021), https://perma.cc/LD39-PUX6 (PDF)
Table of Contents
- INTRODUCTION
- I. EMERGING THREATS HAVE UPENDED DATA BREACH NOTIFICATION LAWS
- II. STATE DATA BREACH STATUTES FAIL TO ADDRESS AUTOMATED WIDESPREAD ACCESS AND UNCLEAR ACQUISITION
- III. EVOLUTION OF TECHNOLOGY, INCLUDING QUANTUM COMPUTING, REQUIRES CHANGES TO THE CURRENT STATE DATA BREACH NOTIFICATION REGIME
- IV. THE PUSH FOR FEDERAL LEGISLATION TO UNIFY A NOTICE STANDARD AND ADDRESS THESE CONCERNS