Tech leaders call for pre-empting of states' data breach laws

Technology industry association leaders who testified Thursday before a House subcommittee hearing on whether legislation is needed for data breach reporting called for Congress to pre-empt state laws on data breaches. But at least one witness opposed such preemption.

“There is a growing and exceptionally strong case to be made for the creation of a national data breach notification framework that supersedes state data breach laws,” said Dan Liutikas, chief legal officer of Washington- based Computing Technology Industry Association, a trade group for the computer hardware manufacturers, software developers and other information technology specialists.

Liutikas spoke at a hearing before the House Energy and Commerce Committee's subcommittee on commerce, manufacturing and trade.

The hearing did not focus specifically on healthcare, since the healthcare industry has had its own federal breach notification law since passage of the Health Insurance Portability and Accountability Act amendments in the American Recovery and Reinvestment Act of 2009. But any law flowing out of these industry recommendations presumably would cover health-related information not protected by HIPAA. For example, personally identifiable records in health websites, which are impacted by breach laws in most states, could be affected by a more general federal breach law.

These health and fitness sites as well as mobile healthcare and fitness applications have come under increasing criticism and scrutiny for the laxity and opacity of their data sharing activities.

Federal pre-emption of state privacy laws has long been sought by some healthcare IT interests.

But Andrea Matwyshyn, assistant professor of legal studies and business ethics at the Wharton School of the University of Pennsylvania, testified against federal pre-emption.

In her written testimony, Matwyshyn called for a “centralized, publicly available Federal Trade Commission-managed” breach filing and registry system. But she added that a legal distinction should be drawn between regulation of breach disclosures and regulation and enforcement of information security laws.

“Federally streamlining data breach notification should not pre-empt states' rights to regulate information security conduct—both with respect to sanctions for a failure to disclose or correctly notify consumers and with respect to inadequacy of information security measures,” Matwyshyn said.

“Information security inadequacy in our economy among both public and private entities is rampant,” she said. “Determining the best legal regime for addressing information security breach liability still requires extensive experimentation on the state level to arrive at an optimal framework.”

Matwyshyn concluded that “it is dramatically premature and undesirable to federally limit liability for information security misconduct demonstrating a lack of due care. A centralized disclosure system and deference to federalism concerns present the best course of action at present.”

Follow Joseph Conn on Twitter: @MHJConn