As if compliance with the various federal privacy and data security standards weren’t complicated enough, we may see state courts begin to import these standards into determinations of privacy actions brought under state laws. Figuring out which federal privacy and data security standards apply, particularly if the standards conflict or obliquely overlap, becomes a veritable Rubik’s cube puzzle when state statutory and common law standards get thrown into the mix.
A state court may look to standards applied by the Federal Communications Commission (“FCC”), the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), or some other federal agency asserting jurisdiction over privacy and data security matters, and decide whether the applicable standard or standards are preempted by state law. The state court may also decide that one or more of these federal agencies’ standards represent the “standard of care” to be applied in determining a matter under state law. Or, as shown in a recent Connecticut Supreme Court decision discussed in Michael Kline‘s November 9th post, a court may decide that state law is not preempted by federal law or standards in one respect, while recognizing that the federal law or standard may embody the “standard of care” to be applied in deciding a privacy or data security matter under state law.