Almost all states in the U.S. have their own data breach notification legislation. Now, there are new federal regulations being proposed that could render state level laws obsolete. The Data Acquisition and Technology Accountability and Security (DATAS) Act was issued in February 2018. If enacted, the new regulation would apply to “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”
The DATAS Act would require all types of entity mentioned above to implement security safeguards that would protect stored personal information. In the event of a breach, the breached entity must conduct a risk assessment to determine if there is a “reasonable risk that the breach has resulted or will result to identity theft, fraud or economic loss” to the people whose personal information has been compromised. If the risk assessment result is positive, then the breached entity must issue the required notifications without unreasonable delay.
Many state attorneys general have criticized the discussion draft of the DATAS Act. It seemed redundant with each state’s own breach notification laws. A group of 32 state attorneys general (20 of whom are Democrats and 12 are Republicans) sent an opposition letter to the House Financial Services Committee on March 19. Lisa Madigan, Illinois attorney general, led the bipartisan group in opposing the DATAS Act.
The points of contention on the proposed DATAS Act include the seeming effort to preempt state regulations and exempt credit reporting agencies like Equifax from being under the scope of state regulation. DATAS Act’s definition of entities is not comprehensive as it notably exempted credit reporting agencies and financial institutions as stipulated in the Gramm-Leach-Bliley Act.
The proposed bill also appears to diminish the protection of consumers in most states because the DATAS Act’s breach reporting requirements are less strict. It gave the breached entity the unfair advantage of determining the level of risk the breach has on consumers and deciding whether data breach notifications should be issued. It’s also possible that the entities would delay the issuing of breach notifications even to the point that the consumers have already become victims of identity theft or fraud.