Data Security and Breach Notification Legislation: Selected Legal Issues [December 28, 2015] [open pdf - 735KB]
"Recent data breaches at major U.S. retailers have placed a spotlight on concerns about the security of personal information stored in electronic form by corporations and other private entities. A data breach occurs when data containing sensitive personal information is lost, stolen, or accessed in an unauthorized manner, thereby causing a potential compromise of the confidentiality of the data. Existing federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the Gramm-Leach-Bliley Act, impose security and breach notification requirements on specific industries or types of data. […] The report then addresses two legal issues that may arise in consideration of new legislation about data security and breach notification. First, how would new federal legislation alter the application of existing state law or the availability of state law remedies for victims of data breaches? The report will discuss various forms of federal preemption (including express preemption, implied impossibility preemption, and implied obstacle preemption) and evaluate how a reviewing court might apply these preemption principles to federal proposals to determine which state laws would be superseded. Second, the report examines the existing jurisdiction and enforcement authority of the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) with regard to data security and breach notification requirements."
CRS Report for Congress, R44326
Federation of American Scientists: http://www.fas.org/sgp/crs/index.html