A key distinguishing feature of U.S. data privacy laws is their patchwork nature. There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive. For data breach response, in addition to the possible application of an industry-specific law or regulation, companies doing business in the U.S. must look to 47 different state laws.
Congress has attempted at various times to change this situation (or remedy this problem, depending on your perspective) by introducing legislation that would bring uniformity to the legal system. In the 113th Congress, S.1193 – the “Data Security and Breach Notification Act of 2013” – was referred to Committee, but never made it out.
H.R.1770 , the “Data Breach Notification Act of 2015,” was passed by the House Energy and Commerce Committee by a vote of 29-20 in April. But, as this Roll Call article points out, it has since stalled. Roll Call notes that the reason the bill has stalled is that Congressman Peter Welch (D-VT) and other Democrats have opposed a Republican markup that declines to expand the definition of protected “personal information” to include health records. The Roll Call article ends by stating that “Committee staff think they can reach an accommodation with Welch to include more protections for medical records,” but notes that multiple industry associations oppose the bill. Multiple public interest groups wrote a letter to Congressman Fred Upton (Chair of the Committee on Energy and Commerce) complaining that the bill, if passed, would weaken protections given to consumers under state law (including because of the lack of protection of health records).
There are many benefits that would come to businesses with a uniform standard, but with opposition coming both from industries and consumers, it is difficult to see the bill gaining much momentum toward passage. Data privacy in the digital age is still a relatively new concept, being left with state experimentation. Watching how our friends across the Atlantic are able to manage their more comprehensive data security laws and learning from their successes and failures, could have its benefits.