The GAO report could be praised for three things. First, the GAO presents an excellent outline of the basics of data protection and the tension created between those seeking new and revolutionary innovation based on data collection, and those concerned for individual privacy. Secondly, the report notes the necessity for increased funding of the FTC so the agency can conduct more vigorous enforcement. Finally, the report concluded with the need for a federal data breach privacy law. Despite these good points, the GAO’s report falls short for two reasons.
The first reason is that the report does not address the issue of pre-emption. Black’s Law Dictionary[ii] defines pre-emption as, “Doctrine adopted by the U.S. Supreme Court holding that certain matters are of such a national, as opposed to local, character that federal laws…take precedence over state laws. As such a state may not pass legislation inconsistent with the federal laws.”
Pre-emption is a major obstacle that prevents the passage of a federal data breach law.[iii] Republican legislation on data breaches generally prefers pre-emption because a federal data breach law provides uniformity. Currently, state laws dealing with data privacy have different standards defining what is personal information, when to contact the appropriate authorities and so forth. What is problematic is that different state standards are in conflict with one other. A company such as Target would need to comply with 50 different standards, when there is a nationwide data breach on their systems.
Democratic legislation on data breaches typically does not want pre-emption; instead they would prefer to have both federal and state jurisdictions working together or concurrently because of consumer protection. The problem with this is that a federal statute does not address the problem when a company has to deal with a breach. Under the Democratic approach, a company would need to have one additional layer of regulations to deal with on top of another layer.
The GAO needs to address the issue of pre-emption. Addressing the issue of pre-emption would have provided Congress with an understanding of the costs that companies have to incur because they need to comply with a patchwork of different state laws versus a uniform federal law.
The second shortcoming in the GAO report is the failure to discuss the work done by Health & Human Services (HHS). HHS oversees the Health Information Portability And Accountability Act (HIPAA), the laws and regulations dealing with patients’ information. The Graham Leach Bliley Act, (GLBA), which covers banks and other financial institutions, is the other federal data privacy law that has a provision addressing data breaches. The FTC primarily oversees the enforcement of the GLBA.
The GAO’s assessment of HHS’ work on HIPPA enforcement would have provided the Congress a point of reference when reviewing and developing the FTC’s role in data breach enforcement. The GAO needed to compare how the HHS and the FTC handle data breach enforcement. This information would have given the Congress a better understanding of how a federal data breach law would be enforced. There is a consensus that the FTC needs to be primary agency that will enforce the federal data breach law. Reviewing the HHS’ experiences in enforcing data privacy under HIPPA will give Congress a better understanding in providing the necessary funding to equip the FTC when the federal data breach legislation is passed.
In closing, federal data privacy law is something that both consumers and businesses want and need. Recently, Intel issued its proposed version of a data breach law.[iv] Discussing pre-emption and providing a case study of the HHS’ handling of data breaches in the medical field could have made a good report a better one. Hopefully, the GAO will revisit this topic to address these two matters. If the GAO is able to do so, it may be able to provide clarity and break the logjam on the passage of much needed legislation.
[ii] Black’s Law Dictionary 1177 (6thed. 1990).