Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Attorneys General Call for Congress to Avoid Possible Federal Preemption of State Data Breach and Security Laws

Share

The draft bill, “Data Acquisition and Technology Accountability and Security Act,”  has led  32 state attorneys general to release a letter urging Congress to avoid preempting state data breach and data security laws.

On February 16, 2018, Representatives Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) introduced the  draft bill in the House of Representatives, which would establish, (i) sweeping standards for data protection across various industries, (ii) federal post-data breach notification requirements, and (iii) establish a process that covered entities must follow to notify law enforcement, regulators, and victims following different types of data breaches.

The attorneys general letter, released by the Illinois Attorney General  Lisa Madigan on March 19, 2018, begins by noting that the attorneys general offices play a primary role in consumer protection, and often hear from consumers following a large data breach.  The attorneys general reference the recent 2017 Equifax data breach as a prime example of when  attorneys general  had to intervene in order to protect consumers.  The letter then notes that the draft bill “appears to place Equifax and other consumer reporting agencies and financial institutions out of states’ enforcement reach.”

As stated by the attorneys general, the draft bill “totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.”  The preemptive effect of the draft bill is made clear by Section 6 of the draft bill, which states in relevant part that, “[t]his Act preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State . . . with respect to securing information from unauthorized access or acquisition, including notification of unauthorized access of acquisition of data . . . .”

Section 5 of the draft bill does proceed to grant a right of civil action to the attorney general of a State when there is “reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any covered entity that violates [the protection and notification standards of this Act . . .”  However, the draft bill also states that in any of these cases, the Federal Trade Commission (FTC) may intervene in the case, and that a State attorney general may not proceed to bring action against a defendant.  With those provisions, as well as the FTC’s given ability to control civil actions, the draft bill does appear to limit the effectiveness of the attorneys general’s ability to protect consumers in their states.

Theletter goes on to say that the draft bill appears to give discretion to entities that have suffered a data breach.  Specifically, entities are allowed to determine whether to notify consumers of a breach based on the entities’ assessment of whether there is “a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer.”  This approach, the attorneys general argue, will result in less transparency to the consumer, as well as fewer notifications to the consumer.  Further, the attorneys general argue that the draft bill will permit entities that have suffered a data breach to notify the consumer after the harm to them has occurred, thus leaving the consumers without the ability to take pro-active steps to protect themselves after a breach occurs.

The letter closes by stating that state data breach notification requirements, as opposed to federal requirements, have led to progress in transparency surrounding data breaches and more stringent data security fixes in companies.  The letter also notes that while large breaches, like those that occurred at Equifax, Uber, and Target, gain the most national media and consumer attention, most data breaches are far smaller and occur at a more regional or local level.  The attorneys general argue that the draft bill fails to acknowledge this, and only addresses those data breaches affecting 5,000 or more consumers.

Overall, the attorneys general ask that the interests of state and federal agencies in data breaches and consumer protection be balanced, and that Congress should not preempt state data security and breach notification laws.

In addition to Illinois, the following states attorneys general joined in the signing of the letter to Congress: Alabama, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Washington and Wisconsin.

Notably, state attorneys general have previously sent letters to Congress opposing preemption of state breach notification laws in both 2005 and 2015, with 44 and 47 attorneys general co-signing the letters, respectively.

Drinker Biddle will continue to monitor the progression of the draft bill and its effect on state data breach and security laws.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

April 10, 2018
Written by: Daniel Walbright
Category: Cybersecurity, Privacy
Tags: data breach, state laws

Post navigation

Previous Previous post: New York Attorney General Penalizes Health Plan for Widespread Disclosure of Social Security Numbers
Next Next post: Data Breach Notification Laws Now Enacted in All 50 States

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT