In a letter to Congress, dated July 7, 2015, the majority of State Attorneys General made some noteworthy points that illustrate the differing perspectives on data breaches between states and the federal government. With Congressional passage of a federal law establishing a national data security and breach notification standard all but inevitable, 47 Attorneys General urged Congress to ensure that this new law does “not diminish the important role states already play protecting consumers from data breaches and identity theft.”
The Attorneys General emphasized that they “regularly respond directly to [consumer] complaints and calls” to address identity theft and other repercussions of data breaches. They pointed out that many states require data collectors experiencing breaches to directly notify the Attorney General of the state where the affected consumers reside. This requirement, the Attorneys General argued, “enables those offices to more quickly respond to breaches and accurately provide information to concerned consumers” and offer “much-needed transparency over data breaches.” They also observed that no single agency can effectively oversee and regulate a field as massive and dynamic as data security and that federal and state interests differ regarding small or regional data breaches.
A corollary to this is the point that many states have recently updated their data breach laws and are more responsive to changes in technology and data breach trends as a result. In 2015 alone, Connecticut, Illinois, New Hampshire, North Dakota, Oregon, Washington and Wyoming have all updated their data breach notification statutes and other states, such as New York, are considering doing the same. These state statutes are beginning to incorporate encryption standards, require notice and protections regarding identity theft, and many are broadening the scope of protected personal information to include data like online credentials and online accounts.
The Attorneys General ask that any federal data security legislation should “not hinder states that are helping their residents” and note that “[p]reempting state law would make consumers less protected” at a time when they are seeking greater protection. It seems unlikely that the forthcoming federal legislation will meaningfully limit states and their ability to enforce and impose their own laws and requirements regarding breach notification and data security. This letter signals that many State Attorneys General see the need for increased protection and legal activity in this area and will continue to protect their constituents from the perils of identity and data theft.
This post was contributed by Kurt Bratten.