With several pieces of legislation introduced in Congress to establish a national data breach notification law and enhance data security, 47 state attorneys general have asked lawmakers to not preempt similar state laws already in force if a federal law is enacted.

“Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft,” the AGs write in a letter to House and Senate leaders. The states, they add, are better able to quickly adjust to new challenges in a data-driven economy.

Also See: Where Congress Stands on a National Breach Notification Law

The attorneys general reminded leaders of a similar letter in 2005 warning that preemption “interferes with state legislatures’ democratic role as laboratories of innovation. The states have been able to respond more quickly to concerns about privacy and identity theft involving personal information and have enacted laws in these areas years before the federal government.”

Further, states are on the front lines in helping consumers deal with breaches, with offices that help consumers remove fraudulent charges from financial accounts and repair credit following identity theft, according to the letter. Illinois, for instance, has helped 38,000 residents remove unauthorized charges. The states also investigate breaches and monitor businesses’ compliance with state regulations to have reasonable security practices and notify consumers when a breach does occur.

Several states also have enhanced breach notification laws in recent years to add additional protections, such as requiring notification for compromised biometric data, login credentials for online accounts and medical information, the letter states. “Our constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns. Toward that end, it is important that any federal legislation ensure that states can continue to enforce breach notification requirements under their own state laws.”

Text of the letter and its signees is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access