Packets of data identifying individuals are stored, sold, and swapped in more forums than it is possible to account for. As headlines signal more database-security breaches, increasing attention is being paid to the security of individuals’ personal information, particularly when that data is computerized. Beginning with California in 2003, all but five states have enacted data breach notification laws to help stanch and respond to data breaches. But because businesses often operate in multiple states, organizations may need to comply with several sets of regulations. This multiplicity of legislative layers has led to calls for a consistent federal standard that would supersede state laws, creating a comprehensive, uniform law.
This Comment rejects the notion that a comprehensive federal standard is the best way to protect the interests served by data breach notification laws. More than simply combating identity theft and economic harm to individuals, many state data breach notification laws serve to protect more varied interests, attempting to strike a balance between the conflicting effects on consumers and businesses. Data breach notification laws are still in their infancy, and the distinctions state have draw should be preserved. Rather than subjecting businesses to federal blanket disclosure requirements, allowing the market to correct the data breach problem state-by-state is the best way to ensure that the level of rigor is properly calibrated. Even assuming a federal law could capture the “best practices” proven through various state experiments, a uniform standard strips this defining power from states to set the bar at the level each finds fitting. State statutes—combined with subject area-specific federal regulations—are more discerning tools for data security policy than a blunt federal standard.