"We would very much welcome a federal law that supersedes the state laws. Even if they just made 1386 a federal law it would help, because right now you have every state enacting something different," Lefemine said. "The state laws all seem to have minor caveats that create challenges. We need something that is easily defined and understood nationwide to help us move forward."
For instance, if individual states begin requiring vastly different levels of encryption to be applied to consumer data -- a foreseeable possibility -- it would create huge policy and technology management problems for businesses like Lincoln Financial, according to the CISO.
Despite the promises of executives like Lefemine, who say they must protect customer data at all costs to keep their clients from jumping ship, privacy experts maintain that businesses desire a national law because it will be less demanding than the existing state guidelines.
States have always done a better job at protecting the privacy of their residents because they can act more quickly and decisively in creating and enforcing laws, said Ed Mierzwinski, consumer program director at U.S. PIRG, a federation of state public interest research groups.
Some business leaders have the interests of consumers at heart, but most just want to save time and money, the privacy watchdog claims. Mierzwinski also said that any law passed by Congress in 2007 likely will be weaker than the existing state mandates, including California 1386.
"The examples are legion where industry says we need a national uniform law and that they will support one, and then Congress ends up passing a weak law full of exceptions that takes away state activities forever, and it's not worth the price," Mierzwinski said.
The expert said that Boston-based PIRG is currently fighting the passage of the federal bills based on the fact that it views the proposed laws as too soft on industry. If large national companies can afford to market to individual consumers, as they increasingly claim to, they should be able to conform to slightly different laws in each state, he said.
"Industry has a view that tends to overstate the problem. It's shocking to me that they say they can't figure it out when they can slice-and-dice their customer base and target market to individual consumers," Mierzwinski said. "They're saying they can't deal with a maximum of 54 state and territorial laws, which makes no sense. Even if it costs more, they should agree that the benefits are worth it."
Other privacy advocates agree, and pointed to the federal bills that did not pass in 2006, based on many of the same arguments, as proof that a national data protection standard may not benefit consumers in the end.
Pam Dixon, executive director of the nonprofit World Privacy Forum, based in San Diego, observed that those laws wouldn't have measured up to California 1386 by the time they were put up for approval by Congress.
"All the bills morphed a lot, they were really weak and very watered down from their original formats," Dixon said. "In general, this comes down to a very deep government question about whether you want to have national preemption on every law because industry says they can't comply; and this has always been an issue, because as bills go national they get watered down as the lobbying dollars take effect."
Some experts say there is room for both federal and state intervention, as long as states retain sufficient power to enact their own measures.
Lillie Coney, associate director with the Electronic Privacy Information Center (EPIC) in Washington, said that while state laws will be the most important, a national guideline could help provide a baseline of expected consumer protection.
"The states are the best place to figure out what works best, but the feds can set a minimum and still allow states to go further to suit their interests," Coney said. "It will take a lot of hard effort and creativity to come up with policies that work and at the same time don't constrain innovation."