Litigation arising from data breaches involving the disclosure of personally identifiable information belonging to consumers and employees is on the rise.  The ingenuity of hackers is second only to the ingenuity of the plaintiff’s bar in crafting complaints with varied causes of action seeking recovery for a wide variety of alleged injuries and potential injuries.  In this type of litigation, plaintiffs often assert injuries arising out of delayed or insufficient notice of the breach to those whose information was compromised.

Currently, a company’s notification obligations in the event of a breach involving personally identifiable information are dictated by state law with 47 states, as well as the District of Columbia, having enacted data breach notification laws.  There is no federal legislation that comprehensively addresses this issue.  In the absence of federal legislation on the subject, in the event of a data breach, companies need to comply with the patchwork of laws that exist in the states in which the individuals affected by the breach live. 


Congress is poised to consider a federal data breach notification law this session.  Bills have previously been introduced in both the House and Senate addressing the obligations of companies who experience data breaches involving personally identifiable information.  Both bills provide for federal preemption of state data breach notification laws.  On July 7, 2015, 47 attorney generals from jurisdictions that have data breach notification laws (including the District of Columbia, Maryland and Virginia) sent a letter to Congress urging Congress not to preempt state law on this subject.  The letter asks Congress not to “disband[] the coalition of enforcers currently working on this growing problem.”   However, the term  “coalition of enforcers” is a bit misleading as it would tend to suggest that the state data breach notification laws are sufficiently similar to be the product of a concerted effort to address the problem.   

Although there are some similarities among the state data breach notification laws, the differences among the laws are not insignificant.  The state attorney generals’ position fails to take into account the compliance issues that exist for businesses with customers or employees in multiple jurisdictions.   For example, many companies in the Washington D.C. metropolitan area collect personally identifiable information from customers who live in D.C., Maryland, and Virginia, and also have employees who live in those states.  D.C., Maryland and Virginia each has its own data breach notification law, and they differ in a number of ways:  For instance, the District does not give any guidance in its law about what information must be included in the notice that businesses are required to send to those affected.  Maryland and Virginia have completely different (and lengthy) requirements in terms of the substance of the notice.  In addition, the Maryland law has a provision obligating businesses that use a third party as a service provider and provide personal information to the service provider pursuant to a written contract to require the service provider by contract to maintain reasonable security procedures and practices.  No such requirement is in the Virginia and the District laws.  Yet, a business with customers and employees in the District, Maryland and Virginia must comply with all three laws in the event of a data breach.  In the case of a company with nationwide operations, almost 50 different laws containing notification procedures would apply to the same breach. 

One federal standard that applies to data breaches involving disclosure of personally identifiable information belonging to consumers and employees/applicants will provide a uniform compliance standard for businesses.  Businesses will be able to develop a comprehensive policy and protocol regarding steps to take in the event of a data breach based on the federal standard and eliminate the impracticalities and doubts created by different state compliance standards.  Data breach notification laws should not exist simply to provide plaintiff’s lawyers with an avenue for filing claims against businesses that are nothing more than games of “gotcha” in the event a business fails to comply with the details of every state data breach notification law that applies to it.  Legislators at both the federal and state level should be concerned with providing clear guidance to businesses about how to notify those affected by a data breach, which will benefit all parties involved in a data breach.

Grossenbacher is a partner at the law firm Seyfarth Shaw and chair of the firm's Washington, D.C. labor and employment practice.