Illinois Attorney General Lisa Madigan is leading a coalition of 32 attorneys general (AGs’) in opposition to federal preemption in the area of data breaches, identity theft, and data security.
Specifically, the group wrote a bipartisan letter on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act, a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs cite recent breaches as examples of the increasing threat and evolving nature of data security risks, and argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws.
In particular, the letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale.Although federal legislation relating to data security, especially data breach notification, could bring uniformity welcomed by many, and the bill contemplates backstop enforcement authority for AGs, like they have under numerous other federal laws, including the Dodd-Frank Wall Street Reform and Consumer Protection Act, this is not the first time attorneys general have urged Congress to maintain AGs’ active enforcement role and preserve state-specific protections. The AGs previously wrote to Congress in 2005 and again in 2015 to support a national law on breach notification that would not preempt state enforcement or state law. Certain AGs, including Massachusetts AG Maura Healey, have testified in Congress against preemptive breach laws. The topic will also be the focus of a panel at the upcoming Conference of Western Attorneys General meeting in May.
However, some AGs have recognized the conundrums that face businesses when state laws vary or even conflict with each other, and some have supported harmonization of breach laws so that businesses do not need to surmount the obstacle of different laws in almost every state. Former California AG (now U.S. Senator) Kamala Harris advocated for this approach, and Utah AG Sean Reyes expressed insightful consideration of the concept at a recent International Association of Privacy Professionals (IAPP) KnowledgeNet hosted by Reed Smith in Washington, D.C.
It remains to be seen whether this will be the year that federal breach legislation is passed. We will be watching this space closely to see whether this or any of the other federal breach laws proposed this year advances more than in previous years. All indications are that AGs will continue to be tip of the spear in privacy enforcement. Unless and until a federal law is passed that would dramatically impact AGs’ power, states will be very active in enforcing privacy and data security. Knowing individual AGs’ positions on these issues will continue to be very important – check out our series of interviews with AGs in the IAPP Privacy Advisor as one resource for getting to know the enforcers.