Consider the Risks: An Insurance Law Blog
In prior posts, I have discussed Massachusetts’ recent privacy statute, GL 93H and associated regulations, and the likely impact of such laws on the emerging privacy insurance market. Massachusetts is not alone in legislating in this area; more than forty other states have enacted similar legislation, although there are a number of substantive variations among such statutes.
On April 29, 2009, a bill was introduced into the U.S. House of Representatives, H2221, the Data Accountability and Trust Act, which provides requirements which are similar to many of these statutes. Ordinarily, action by Congress in the area of interstate commerce can bring order to chaos among the states in areas where myriad state statutes create a compliance nightmare for businesses which operate in interstate commerce, and certainly this may be true when it comes to the protection of personal information. HR 2221, in its current form, however, seems flawed, may be anti-consumer, and is unlikely to promote uniformity in the area of privacy regulation. An additional potential down side is that it may impede uniformity in the privacy insurance market, and that may be bad for purchasers, sellers, and consumers as ultimate beneficiaries of privacy insurance products.
Who benefits by delay?
One glaring problem with HR 2221 is its timing. As prior posts and many news stories have noted, the privacy risk is now. Private data is everywhere and barely a week goes by without another headline documenting the release of private data by businesses, yet HR 2221 does not become effective until one year from the date of enactment, when federal regulations consistent with the act are due. Most states have already passed their acts, and many, including Massachusetts have issued their regulations, solicited comments and considered or postponed where necessary compliance deadlines. Similar time tables for regulations, comments and delayed compliance in connection with federal legislation will result in increased exposure for consumers to the release of private information. Coupled with the pre-emption problems noted below, this delay benefits no one. While businesses conceivably gain by postponing compliance costs, they remain exposed to the harm to their business that inadequate privacy protection can entail, and they remain potentially subject to competing state statutes.
Incomplete Preemption Compounds The Problem
Federal legislation provides uniformity not only because it establishes a uniform federal standard, but because it effectively replaces and precludes enforcement of inconsistent state statutes through the doctrine of preemption. In the case of HR 2221, we are dealing with express preemption.
Section 6 (EFFECT ON OTHER LAWS) of the bill provides:
(a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly–
(1) requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and
(2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.
…
(c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of–
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate to acts of fraud.
The Massachusetts statute applies to hard copy records as well as data in electronic form. If HR 2221 is enacted, only time and expensive litigation will determine whether the Massachusetts statute is preempted in part (only as to electronic records) or in its entirety under this language. Other arguments for incomplete preemption are possible. With anything less than complete preemption of state legislation, the benefits of uniform federal legislation are lost, and businesses must potentially comply with both standards to be in compliance.
What is the impact of HR 2221 on the emerging privacy insurance market?
It is difficult to project the impact that enactment of HR 2221 may have on the emerging market for privacy insurance. On the one hand, the risk of litigation over a privacy breach is likely to be the driving force in companies’ purchase of such insurance, and as noted above, HR 2221 expressly states that it does not supplant state law claims based on breach of contract, tort or fraud. On the other hand, the uncertainty reflected in incomplete preemption is likely to negatively impact uniformity in pricing and possibly terms of coverage. Other provisions may impact the market for smaller businesses. For example, Section 3 of HR 2221 (Notification of Information Security Breach) provides a substitute notification provision for entities who maintain private information on less than 1000 individuals. This substituted notification provision could impact first party notification coverages for such small entities, though companies who operate below the 1000 individuals threshold are likely to have minimal impact on the market for such coverage.
Conclusion
While timely enactment of comprehensive uniform federal privacy legislation and associated regulations would have been, and may yet be a positive development, there are many aspects of HR 2221 that are or may be flawed, including several of the points noted in this post.
