Please enable JavaScript to view this website.

The Ongoing Debate Over Federal Preemption in Breach Notification Requirements for Financial Institutions

Financial Institutions operating in the United States face two sets of breach notification requirements (BNR): one established by the Gramm-Leech Bliley Act (GLBA), and the other by state law. Currently, the GLBA sets a minimum BNR, allowing states to develop higher standards.1 For example, while under the GLBA an institution is only responsible for notifying its customers following a breach.2. Other states, like California, requiresnotification to any resident of the state after a breach3 In the wake of recent massive security breaches, federal policy makers have begun in earnest to propose new BNRs to address existing gaps and inconsistencies in the current regime4 One issue animating the debate is whether federal BNR should preempt state BNR.


Not surprisingly, the financial industry has been advocating for federal preemption5 In essence, their argument hinges on efficiency. Institutions fear that a patchwork of state laws will increase compliance costs and reduce the ability of firms to effectively plan for a breach.6


Opponents of federal preemption include privacy advocates and state attorneys general.7 These groups oppose federal preemption because it strips states of their vital role as the nation’s BNR laboratory.8 After all, California preceded the GLBA in its development of the first state BNR.


Sensing a way forward in the debate, some have pointed out that a strong enough preemptive federal law could address the dual concerns of consistency and adequate protection.9 This idea resembles the European Union’s ambitions Data Protection Regulation, set to come into force in 2018. Even conceding its advantages however, a strong, preemptive federal BNR leaves open many questions—namely, what policy provisions should this national BNR contain? Additionally, given the glacial pace of this countries’ legislature, could a well-intentioned national law keep up with changes in the equally rapidly developing landscape of data breaches? While we wait, the delay of an honest debate endangers the public and our financial institutions.







  1. 15 U.S.C. § 6807(a). 

  2. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 FR 15736-01 III.A(1), 

  3. See e.g., CAL. CIV. CODE § 1798.82(a). 

  4. See e.g. the Obama Administration’s proposed Personal Data Notification & Protection Act, available at (last visited September 28, 2015). 

  5. See Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework 7, available at paper.pdf (describing the vast majority of industry groups favoring a preemptive federal breach notification law). 

  6. See Karla Grossenbacher, Businesses Need a Preemptive Federal Law on Data Breach Notification, The Hill (July 24, 2015), 

  7. See e.g. Federal Data Breach Legislation Should Not Preempt States, Nat. Assoc. of Attorneys Gen., (last visited Sep. 17, 2015); see also G.S. Hans, White House Data Breach Legislation Must be Augmented to Improve Consumer Protection, Ctr. for Democracy & Tech., (Jan. 16, 2015). 

  8. See CDT Issue Brief on Federal Data Breach Notification Legislation, Ctr. for Democracy & Tech., Brief_DataBreach_TEH2.pdf (Jan. 27, 2015). 

  9. See Data Security and Breach Notification Legislation Gaining Traction in Congress, Hogan Lovells, (Mar. 30, 2015).