Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident. His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on companies to comply with the patchwork of state data breach laws is too heavy, and that state laws should be harmonized to lessen that burden.
Speaking at the National Association of Attorneys General summit May 3, Olens asserted, “I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”
Rather than requiring companies that have been hacked to report to 30 different AGs with 30 different forms, Olens said, there should be a standard form that both the federal government and the states use. He pointed out that treating hacked companies as the bad guys right off the bat and imposing the immense burden of such rigorous and varying compliance is counterproductive.
“On the one hand, we need to tell the business community you’ve got to do your job, but on the other hand, we can’t immediately view the business as a defendant rather than a company that was just attacked,” Olens said.
Saying that “the day of benign neglect is gone,” Olens said companies that are lagging behind in putting reasonable security measures in place have no excuse. Companies should be able to show that they have made efforts to put into place best practices such as those recommended by the Federal Trade Commission.
As active enforcers of their state data privacy and security laws, attorneys general are increasingly part of the picture for businesses looking to responding to a data incident. Companies should be mindful of their continuing focus on this issue.
For our previous coverage of California AG Harris’ 2016 data breach report, visit our previous post.