As of January 2014, 46 states have enacted legislation that require companies to notify individuals of data security breaches that could lead to the dissemination of an individual’s personal information.
In 2005, Pennsylvania enacted its own statute, The Breach of Personal Information Notification Act. In addition to this patchwork of state laws, there are various federal laws which are potentially impacted when a company experiences some type of data breach. There is no single, comprehensive law that regulates the privacy, collection, processing, and security of personal information. However, there is a groundswell of support for the creation of such a federal law.
On November 6, 2014, a group of 44 service and retail industry trade associations sent a letter to the Majority and Minority leaders in both the House and Senate. The letter urges Congress to adopt a single data breach notification standard at the federal level. The letter states, “A single, federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected customers regardless of where they live or where the breach occurs.”
The letter requests that this federal law apply to all entities that handle sensitive information with no exemptions being made for any particular business sector. The letter also requests that the payment card issuers themselves be required to adopt more secure measures to guard against theft of financial information. Similarly, in October 2014, the President directed the federal government to take steps to improve the security of financial transactions in the United States. The President indicated that efforts would be explored with banks and credit card companies to strengthen their identify theft protections, such as the use of chip-and-pin technology.
While it is unlikely that Congress will act in the very near future given the recent elections, it is entirely possible that Congress will eventually enact a single, comprehensive federal law sometime in 2015 to address mounting concerns over data security protection and regulation.