States Write Congress|on Data Breaches

     (CN) – Forty-five attorneys general signed a letter urging Congress to take state laws into account as it considers legislation on data breaches.
     The July 7 letter, sent to the Senate and House, cites a similar letter to Congress signed by 44 attorneys general in 2005. That letter said: “Do not preempt the power of states to enact and enforce state security breach notification. … Preemption interferes with state legislatures’ democratic role as laboratories of innovation.”
     Citing a report from the Privacy Rights Clearinghouse, the new letter states that since 2005, “nearly 5,000 data breaches have compromised 815,842,526 records .”
     (The Tuesday letter cites the Privacy Rights Clearinghouse report as of March 13. On Thursday morning, the Clearinghouse counted 845,478,057 compromised records from 4,557 “reported” data breaches.)
     The letter does not mention specific legislation, but appears to target H.R. 1770 : The Data Security and Breach Notification Act of 2015.
     That bill requires corporations and nonprofits collecting personal data to provide data breach notifications to: “(1) affected U.S. residents when there is a reasonable risk that such a breach has resulted in, or will result in, identity theft, economic harm, or financial fraud; (2) the Federal Trade Commission (FTC) and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses or acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.”
     According to Congress’s website, the bill would give the FTC and states the authority to prosecute violations of the Act, which “preempts state information security and notification laws.”
     That appears to be what rang the alarm for the attorneys general.
     “As the chief consumer protection officials in our respective states, we have seen first-hand the harm that data breaches and identity theft cause consumers,” the letter begins. “However, any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.”
     The states claim that they can respond more quickly to data breaches than the federal government can. “Placing enforcement authority and regulatory authority with the federal government would hamper the effectiveness of the federal law,” the letter states. “Too many breaches occur for any one agency to respond effectively to all of them.”
     It concludes: “It is crucial that state attorneys general maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”
     The only states not signing the letter are Colorado, Oklahoma, Texas, Wisconsin, and Wyoming.
     The attorney general of the Northern Mariana Islands signed it too.

%d bloggers like this: