The Federal Government has not taken significant steps to regulate data security. For that reason, local and state officials have been taking a more aggressive role in responding to data breaches and in establishing best practices for protecting data.
Following the well publicized breaches involving Target and Neiman Marcus, Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) re-introduced legislation, the “Data Security Act,” that would establish federal standards for data security and remove the issue from state oversight, with one notable exception: standards for insurance companies.
The Data Security Act would require companies to take appropriate steps to protect personal information and to notify consumers when data breaches could result in identity theft or financial losses. There would be no notification requirement if the stolen data was encrypted or otherwise unusable.
Healthcare insurers subject to HIPAA would be in compliance provided they comply with regulations promulgated under that act.
The proposed law would preempt all state laws related to data security and notification requirements and prohibit all lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” These provisions, taken together, would effectively remove data security from state oversight.
Proponents of the legislation contend that federal standards for data security are necessary because companies are subject to multitude of local laws, which sometimes conflict. Yet even under the proposed law, there would not be a single set of standards. The bill would delegate regulatory authority to a patchwork of federal agencies to promulgate rules for the particular industry that agency oversees.
For most insurance companies, state insurance departments would retain regulatory oversight for creating data security standards. This leaves open the possibility that insurers would still have to comply with standards that vary by jurisdiction. However, the proposed legislation would require agencies to consult with each other, to the extent possible, to develop regulations that are consistent and comparable.
The bill is in its embryonic stages and certainly would undergo significant changes if ever passed. With data breaches becoming more prevalent and larger in scope, the push for federal action in this area will only increase.