Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

In the vacuum of federal guidance, twenty-two (22) states (at last count) have enacted their own regulatory guidelines. The problem is that many of these state laws conflict with one another, define breaches differently and offer varying thresholds for notification triggers. The applicable Illinois statute, contrary to the laws enacted in other states, does not allow notification delays for law enforcement purposes. Many states have adopted a "no harm, no foul" approach to notification where other states, such as Nevada and Minnesota, call for notification whenever an unauthorized breach occurs, whether or not any harm results. A few state statutes, including those of New Jersey and North Carolina, do not exempt encrypted data even though such data is virtually unusable to most identity thieves.

Unfortunately, guidance to navigate the myriad of state data breach statutes is not likely forthcoming. Neither the Office of the Comptroller of the Currency or the FDIC (which, incidentally, was recently subject to an instance of data breach) will step in to mediate the differences, since the Gramm-Leach Bliley Act allows states to enact more stringent guidelines. For the time being, banks, financial institutions and other similar entities will have to rely on their own devices. According to Laura Fisher, senior public relations manager for the American Bankers Association, most banks are playing it safe. When confronted with conflicting state statutes, banks are likely to act in conformity with the more rigorous requirements.

To read more, see this recent article.