Privacy professionals have long lamented the myriad of approaches each state takes when it comes to data breach notification requirements. According to the National Conference of State Legislatures, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring covered companies to make certain notifications to affected consumers and specified regulators when a security breach of personally identifiable information occurs.
When so many states have “left the barn,” can they be corralled into one consistent regulatory scheme? That is the question the Uniform Law Commission plans to delve into over the coming year. At its recent annual meeting in San Diego, California, the executive committee of the Commission approved a study committee to assess whether it is desirable for the Commission to draft a uniform act governing data breach notification requirements.
What is the ULC?
Created in 1892, the Uniform Law Commission develops and drafts uniform legislation for consideration by state legislatures. Past work of the Commission has produced legislation such as the Uniform Commercial Code and the Uniform Electronic Transactions Act. The Commission is comprised of several hundred judges, law professors, legislative staff, legislators and attorneys in private practice (“Commissioners”). Each state, the District of Columbia, Puerto Rico and the U.S. Virgin Islands appoint Commissioners. I serve as a Commissioner for Virginia and attended the annual meeting in San Diego.
Charge of the Study Committee
The study committee will evaluate “the need for and feasibility of state legislation on data breach notification including consideration of what sorts of personal information should be protected; to whom, when and how notice should be provided and the contents of the notice.” At this time the committee is not authorized “to consider remedies for injury caused by a data breach.”
Why Now?
It was acknowledged by the Commission’s Scope and Program Committee that 48 states have enacted some type of breach notification statute. Often the Commission will not propose a uniform law if a significant number of states have already enacted laws on the subject matter. Given the various approaches by the States, the lack of uniformity and the emerging importance of privacy issues, the committee determined that there was value in assessing whether a uniform approach might be desirable and attainable notwithstanding that virtually every state has acted in this area.
What Happens Next?
Within the next two months, the President of the Commission will appoint members of the study committee. The committee will begin its work and report its findings to the Scope and Program Committee of the Commission. If the study committee decides that uniformity in state law is desirable in this area it may recommend that the Commission’s Executive Committee authorize the study committee to being the process of drafting a proposed uniform act that would eventually be provided to the States for consideration and adoption.
It is anticipated that the study committee will seek the input of the National Association of Attorneys General (“NAAG”) on this project. One of the rationales put forth for the Commission to undertake this project was the potential to work jointly with NAAG. Support of state attorneys general will be important to the overall success of this project. The study committee will solicit input from a broad array of stakeholders over the next year.
Implications for the Privacy Professional?
The time period for study and then possible drafting of a uniform law may take anywhere from one to three years due to the process followed by the Commission. The study period usually takes a year prior to determining whether to proceed to a drafting committee. A proposed uniform act is usually debated, revised and further considered for a minimum of two years before it is finalized and sent to the States for consideration. At that point, the Commissioners of each state are asked to seek introduction of the legislation in their state and to advocate for its passage.
While it is too early to gauge the success of a uniform law on this subject at state legislatures, it is fair to say that the prospects for success will be significantly impacted by whether state attorneys general are onboard with any proposed changes. Consumer protection is a primary focus of every state attorney general and any change to their authority without their support will impact the likelihood of widespread adoption of a uniform approach to this topic.
Short term, this development does not impact a company’s response to a data breach. Long term, if the effort is successful it has the possibility to lower compliance costs when a breach occurs and notification is required. If there is any possibility of divining a path to a uniform approach, the Commission appears to be the body that has the track record to lead the States to that end.