Newly introduced Data Security Act would remove data security standards from state oversight


The Federal Government has not taken significant steps to regulate data security. For that reason, local and state officials have been taking a more aggressive role in responding to data breaches and in establishing best practices for protecting data. 

Following the well publicized breaches involving Target and Neiman Marcus, Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) re-introduced legislation, the “Data Security Act,” that would establish federal standards for data security and remove the issue from state oversight, with one notable exception: standards for insurance companies. 

The Data Security Act would require companies to take appropriate steps to protect personal information and to notify consumers when data breaches could result in identity theft or financial losses. There would be no notification requirement if the stolen data was encrypted or otherwise unusable.

Healthcare insurers subject to HIPAA would be in compliance provided they comply with regulations promulgated under that act. 

The proposed law would preempt all state laws related to data security and notification requirements and prohibit all lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” These provisions, taken together, would effectively remove data security from state oversight.

Proponents of the legislation contend that federal standards for data security are necessary because companies are subject to multitude of local laws, which sometimes conflict. Yet even under the proposed law, there would not be a single set of standards. The bill would delegate regulatory authority to a patchwork of federal agencies to promulgate rules for the particular industry that agency oversees. 

For most insurance companies, state insurance departments would retain regulatory oversight for creating data security standards. This leaves open the possibility that insurers would still have to comply with standards that vary by jurisdiction.  However, the proposed legislation would require agencies to consult with each other, to the extent possible, to develop regulations that are consistent and comparable.

The bill is in its embryonic stages and certainly would undergo significant changes if ever passed. With data breaches becoming more prevalent and larger in scope, the push for federal action in this area will only increase.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw & Culbertson LLP | Attorney Advertising

Written by:


Hinshaw & Culbertson LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.