Red, blue & purple data breach laws: what they reveal

Abstract

The increase in data breaches is a serious threat to the protection of consumer information. Timely notification of the consumers’ vulnerability after a breach is essential. Currently, in the U.S., no federal data breach notification law exists. Given the advancements of Artificial Intelligence (AI) and its potential for a greater and more critical role in our daily lives, the lack of federal breach legislation is of even greater concern. The issue for operating American businesses is that currently each state has their own law. Given the Internet of Things, and the fact that businesses have customers located in different states, without a federal law, businesses need to figure out each states’ law and comply with each. Additionally, the multiple state laws with their varying requirements makes it burdensome for companies to comply. Addressing these concerns, this article reviews the U.S. data breach notification laws at the state level to inform the drafting of a much-needed federal law. We analyze the content of the laws considering when they were enacted, the definition of personal information, the notification deadline, and the regulatory strictness which we define as the combination of biometrics, restricted reporting deadlines, and health/medical information. We hypothesized that: (1) the contents of the laws have changed from their original content, (2) there is a relationship between the contents of the law and when the original law was passed, and (3) one political party would dominate when the original law was passed. We found our first hypothesis to be true that the laws have changed content a relationship exists between the contents of the law and when the initial data breach notification law was passed. An increase in the regulatory strictness of laws was discovered. This provides evidence of states’ attempts to improve the content of these laws. Our third hypothesis was not supported. We found that purple states with joint control in the executive and legislative branches dominated when the original state data breach laws were enacted. This research is significant because it provides evidence that although there is a patchwork of state policies, there exist commonalities in the state laws that could be used to draft a bipartisan federal law. This federal law should be accomplished with bipartisan dialogue in the U.S. Congress. A model code created by the Uniform Law Commission (ULC) would not suffice because of the long timeframe it takes for the ULC to promulgate uniform model codes. Given the rapid advancement of AI threats to data protection, there is no time to waste. A federal law would ease the burden on companies that must accommodate the multiple provisions of multiple state laws.