Earlier this year, the Target and Neiman Marcus data breaches reminded consumers how vulnerable their data is.  Many thought that these incidents would be a wake-up call for the Congress to enact federal data security and breach notification laws.  As news stories chronicled these and other security incidents, members on both sides of the aisle called for such legislation.  But, despite numerous hearings, the introduction of bills, countless speeches, and near daily headlines on data security and privacy, legislation has stalled and seems unlikely to be enacted anytime soon. 

The question is, why?  Leaders in the business community have called for federal relief from the patchwork of state data breach laws.  Privacy advocates have supported a federal standard.  Democrats and Republicans agree on core elements of the bill.  Both want reasonable data security requirements in place, the creation of a single consumer notification standard to guide companies in the wake of a data breach, and enforcement by the Federal Trade Commission (FTC).  The makings of a deal are there.  With a federal standard in place, the business community would benefit from having just one set of rules to follow, and consumers would benefit from the FTC, a federal regulator whose mission is to protect consumers, having additional powers to enforce data security and breach standards.  


But, for all the momentum and consensus that has built up recently, long-standing differences are hampering progress.  One side is pushing for tort reform, limited and fixed rules, centralized enforcement, and caps on civil penalties.  The other side wants broad rules that can be amended to keep up with changes in technology, multiple regulatory enforcers, and uncapped penalty authority.  Put simply, consumer advocates are more than willing to continue pushing for legislation at the state level, where the appetite for this type of legislation is rapidly growing, rather than making compromises at the federal level, and certain elements of the business community would rather defer federal legislation than accept laws that lack liability protections and a predictable set of rules.

The solution to this impasse is to let both sides win.  That means making federal rules for data security and breach notification voluntary, opt-in standards enforceable by the FTC, instead of mandatory rules that remove all companies from the state system.  A federal scheme that only applies to those companies that sign up would allow businesses that want to avoid the patchwork of state laws to do so in favor of following the federal regulations.  Similarly, businesses that choose not to sign up for the federal standards would remain regulated by state law, allowing privacy advocates to continue to push for stronger laws at the state level.  Consumers would win because the FTC’s authority would be defined and enlarged, and states would retain certain jurisdiction to continue looking for creative solutions to ever-changing data breach problems.

Giving entities the option to be regulated is not an entirely new concept.  Former Senator Joe Lieberman and Senator Susan CollinsSusan Margaret CollinsOvernight Defense: Senate bucks Trump with Yemen war vote, resolution calling crown prince 'responsible' for Khashoggi killing | House briefing on Saudi Arabia fails to move needle | Inhofe casts doubt on Space Force House Dems follow Senate action with resolution to overturn IRS donor disclosure guidance Senate votes to overturn IRS guidance limiting donor disclosure MORE agreed to a similar structure in their push for cybersecurity legislation in 2012.   Also, the current data security and breach notification legislation sponsored by Senator Jay RockefellerJohn (Jay) Davison RockefellerSenate GOP rejects Trump’s call to go big on gun legislation Overnight Tech: Trump nominates Dem to FCC | Facebook pulls suspected baseball gunman's pages | Uber board member resigns after sexist comment Trump nominates former FCC Dem for another term MORE provides an opt-in option for certain entities.  While both sides might consider a voluntary scheme a half-measure, a half-measure that creates choice, flexibility, and protections for businesses and consumers is better than the uncertain status quo.

Bomberg, an associate in Hogan Lovells US LLP’s Privacy and Information Management Practice, served as staff to the U.S. Senate Committee on Commerce, Science, and Transportation between 2007 and 2013.  The views expressed in this article are those of the author and do not reflect the views of Hogan Lovells US LLP or any of its clients.