A number of recent developments indicate that the 110th Congress, to be seated in January, may seek to federalize data privacy laws and preempt state legislation in that area. Several data security bills were introduced in the 109th Congress; however, to date, none have passed.
Sen. Patrick Leahy of Vermont, the incoming chair of the Committee on the Judiciary, recently reiterated his commitment to enacting privacy legislation. One of Leahy’s aides noted that he expects the reintroduction of S. 1789, a bill heard by the Judiciary Committee that did not progress. In addition to creating requirements for protection of data and notification of breaches, S. 1789, at least as revised in 2005, contains the following clause: “No State may require any business entity subject to this subtitle to comply with any requirements with respect to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.”
Senator Diane Feinstein of California, incoming chair of the Senate Committee on the Judiciary Subcommittee on Terrorism, Technology and Homeland Security, also plans to introduce legislation concerning notification of data breaches. Feinstein introduced similar legislation in 2005. That bill, which was referred to the Committee on the Judiciary, would have preempted state law only to the extent it was inconsistent.
For more on other data security bills introduced in the 109th Congress, see this Alert.