Newly introduced Data Security Act would remove data security standards from state oversight

Hinshaw & Culbertson LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The Federal Government has not taken significant steps to regulate data security. For that reason, local and state officials have been taking a more aggressive role in responding to data breaches and in establishing best practices for protecting data. 

Following the well publicized breaches involving Target and Neiman Marcus, Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) re-introduced legislation, the “Data Security Act,” that would establish federal standards for data security and remove the issue from state oversight, with one notable exception: standards for insurance companies. 

The Data Security Act would require companies to take appropriate steps to protect personal information and to notify consumers when data breaches could result in identity theft or financial losses. There would be no notification requirement if the stolen data was encrypted or otherwise unusable.

Healthcare insurers subject to HIPAA would be in compliance provided they comply with regulations promulgated under that act. 

The proposed law would preempt all state laws related to data security and notification requirements and prohibit all lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” These provisions, taken together, would effectively remove data security from state oversight.

Proponents of the legislation contend that federal standards for data security are necessary because companies are subject to multitude of local laws, which sometimes conflict. Yet even under the proposed law, there would not be a single set of standards. The bill would delegate regulatory authority to a patchwork of federal agencies to promulgate rules for the particular industry that agency oversees. 

For most insurance companies, state insurance departments would retain regulatory oversight for creating data security standards. This leaves open the possibility that insurers would still have to comply with standards that vary by jurisdiction.  However, the proposed legislation would require agencies to consult with each other, to the extent possible, to develop regulations that are consistent and comparable.

The bill is in its embryonic stages and certainly would undergo significant changes if ever passed. With data breaches becoming more prevalent and larger in scope, the push for federal action in this area will only increase.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw & Culbertson LLP | Attorney Advertising

Written by:

Hinshaw & Culbertson LLP
Hinshaw & Culbertson LLP
Contact
more
less

Hinshaw & Culbertson LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide