As evidenced by another congressional hearing on data security, the idea of a federal data breach notification law is something that both businesses and consumers can support. The concept has also attracted bipartisan support in Congress.
Following the string of online data breaches that Sony experienced in April and May- what Rep. Mary Bono Mack has called the “ground zero” of cyber attacks- Sony was criticized because it took a week to investigate the initial breach affecting its PlayStation network before notifying consumers or making a public announcement. The reality is, however, that in the absence of a federal law having preemptive effect, the inconsistent state laws that companies must navigate when they experience a breach make it a practical impossibility to provide an immediate, meaningful response to affected consumers and government agencies.
Numerous differences in the 46+ state data breach notification laws make notifying affected individuals and agencies complex, especially for companies with national operations. Companies must perform extensive internal investigations to determine the number of individuals and states involved, the means and extent of unlawful access or acquisition, and the nature of consumer information accessed or acquired just to initiate the notification process. They must then examine applicable state laws to determine who (e.g., residents, state agencies, and/or consumer reporting agencies) should be notified, when, and how. Some states even dictate what information must or cannot be disclosed. Often, that requires separate forms of notifications to individuals depending on where they reside.
Given the current landscape, the question is not whether a comprehensive federal data breach notification law should or will be adopted, but when.