Though the National Association of Attorneys General (NAAG) Presidential Initiative “Privacy in a Digital Age” expired in June 2013 when a new NAAG president took over, the state attorneys general have maintained their sharp focus on all things privacy, with no signs that that focus will shift anytime soon. Most recent case in

On June 9, 2011, Citigroup confirmed that its online banking platform Citi Account Online had suffered a data breach involving the names, credit card numbers, addresses, and email details of approximately 200,000 customers.  While Citi has already notified the Office of the Comptroller of the Currency in accordance with FDIC Guidance, financial institutions responding to a breach must also comply with the breach notification laws of the individual states.

Citi is just the latest victim in a recent string of hacking attacks, with major companies like Sony, Epsilon, Michael’s Stores, Apple, and Google having suffered recent (and in some cases widely-publicized) breaches of their own. When a company suffers a data breach, they will often be faced with the complex task of complying with a multitude of different state laws providing divergent standards of breach notification. States often differ in how they define what type of personal information triggers notification, how long a company has to send notifications, and whether notifications must be sent to third parties (e.g., government agencies or consumer reporting agencies). Navigating the sea of 47 different state laws can be quite challenging for companies confronted with the task.

Continue Reading Case for National Breach Notification Standard – Federal Action to Follow?