While everyone can agree on the need for cybersecurity standards, just who should set them is a matter of some debate. Though a federal standard for privacy and cybersecurity could make it easier for tech companies to conduct their day-to-day operations, the current patchwork of state laws could provide for more stringent enforcement and better protection for consumers.

Laura Moy, executive director of Georgetown Law's Center on Privacy & Technology, believes that a federal standard that eliminates state laws surrounding cybersecurity could do more harm than good.

“There are a number of reasons consumers benefit from state cybersecurity and privacy laws—not only do they often contain strong substantive standards, but states are often much more able to update their laws in response to the changing digital environment than Congress can do,” Moy said.

According to Moy, at least 23 different states across the country updated data security, breach notification, and privacy laws between 2015 and 2018. She also praised the ongoing work of state attorneys general in the day-to-day application of cyber law.

“Consumers also benefit from the excellent work of state attorneys general who not only vigorously enforce state-specific laws, but also engage in ongoing dialogue with businesses and provide useful guidance materials that help well-meaning businesses to comply,” Moy said.

Last April, 31 state attorneys general signed a letter urging Congress members not to move forward with the Data Acquisition and Technology Accountability and Security Act, a federal breach notification bill that gained traction in the wake of high-profile data leaks like the one that took place at Equifax in the fall of 2017. If passed, the law would have created a single set of breach reporting guidelines for companies across the United States.

“The states have been able to respond more quickly to concerns about privacy and identity theft involving personal information and have enacted laws in these areas years before the federal government,” the letter read.

For tech companies, however, such a federal bill might have been a positive. After all, trying to satisfy a series of conflicting state laws can be a costly endeavor that adds an extra layer of complication to potential cyber breaches.

Rebeca Rakoski, a co-founder and managing partner of XPAN Law Group who is focused on cybersecurity and privacy, argues that while technology itself will continue to evolve, laws surrounding breaches will not change substantially enough to justify the existence of a patchwork of conflicting state laws.

“The only thing that would change is maybe they come up with a creative new way to define a breach or an incident, but at the end of the day the time period that you have, who you have to report to, what constitutes PII (personally identifiable information), those types of things are not really going to change substantially enough ,” Rakoski said.

She also pointed out that states like New Jersey, New York and California are more progressive than others when it comes to matters of cybersecurity and privacy, which can create problems for small to mid-size tech companies who have business interests spread across the country.

Incidents like data breaches could require an organization and its legal counsel to navigate several conflicting sets of procedures and requirements, adding a burden of time and money. Rakoski believes a singular federal standard that provides room for companies to adapt to evolving technologies and operate day-to-day business without having to worry about a conflicting set of patchwork laws is the more practical course.

“I think the trick is to create a law that has enough flexibility in it so that corporations and organizations can make business decisions and do that risk analysis and still be highly effective,” Rakoski said.