According to a recent analysis by the Congressional Research Service (“CRS”), the extent of state law preemption in recent federal legislative proposals relating to data security is unclear. Several bills introduced in the 114th Congress would impose federal data security or breach notification requirements on covered entities, similar to existing requirements in nearly every state.
The CRS report notes that all of the current bills on this topic include express preemption clauses, but the scope of that preemption will ultimately be a matter of interpretation, particularly in bills that include saving clauses that preserve certain aspects of state law. For instance, the language of the proposed bills may lead to differing interpretations of both the type (e.g., statutes, regulations, or common law) and the subject matter of the state and local actions that are being preempted. In addition, the report explains that express preemption clauses do not foreclose other types of implied preemption, such as conflict or impossibility preemption.
Finally, the CRS Report describes the current scope of FTC and FCC authority over data security enforcement and the proposed changes to that authority in the legislative proposals. Several of the bills propose changes to the agencies’ existing enforcement authority, though others would maintain the current enforcement regime. For instance, one bill (H.R. 1704) would expand FTC jurisdiction over the new requirements to include common carriers, which are currently not subject to FTC unfair or deceptive practices authority under Section 5, but leave FCC enforcement authority intact. Another bill (H.R. 1770) would similarly expand FTC jurisdiction to include common carriers, but also strip the FCC of its current jurisdiction over the data security practices of common carriers under the Communications Act.
It remains to be seen which, if any, of the current legislative proposals in this area will gain traction in Congress and ultimately be enacted into law.