State attorneys general (AGs) continue to emerge as major regulators of privacy, and increasingly, with respect to compromises of health-related data.
Businesses concerned with U.S. customer or employee data have long known of the importance of the roles of the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services, among other federal agencies, in privacy regulation and enforcement; but the keen interest by state attorneys general in the area of privacy, and increasingly private health information, has received less attention.
That tide appears to be turning. In an international data privacy conference taking place this week in Washington, D.C., sponsored by the International Association of Privacy Professionals, both federal and state privacy regulators emphasized the importance of state AGs in privacy regulation and enforcement.
In an interview by the Washington Post with FTC Commissioner Terrell McSweeny yesterday, the Commissioner repeatedly emphasized the close working relationship the FTC enjoys with many AG offices on privacy investigations, and praised state AGs for doing “yeoman’s work” in contributing to the privacy landscape in the United States, particularly where privacy reforms have been stalled at the federal level.
Further, comments yesterday by privacy and consumer protection officials in the offices of the Illinois and District of Columbia AGs confirm their deep work in the area of privacy regulation and enforcement, and indicate that states are looking to shift their attention from retail breaches that are increasingly common involving compromised credit card information, to information that involves personal information of “higher-risk,” including health care data. Because of the sheer number of data security incidents that are reported to their offices, according to these officials, AGs are now “triaging” the losses and are increasingly interested in the inappropriate loss or exposure of data that has long-term consequences to an individual, such as health information and social security numbers. Unmistakably, these offices, either through single-state investigations or by way of coordinated multi-state proceedings, are looking to send a message to businesses that subject consumers or employees to long-term harm because of data loss. Without coincidence, this triaging of enforcement efforts parallels the introduction and passage of state legislation that expands the lists of personal information that is reportable to the affected individuals, as well as to the AGs, to include biometric data and health information. It is also significant that, under HITECH, state AGs are given the authority to investigate HIPAA-related issues on behalf of the Department of Health and Human Services Office for Civil Rights (OCR). As enforcement activity in the health care privacy/ security sector continues to reflect significant participation by both the OCR and FTC, state AGs may start to bridge the gap between the two federal agencies.