Reed Smith has been closely following the interest and activities of State AGs in the areas of privacy and cybersecurity, and recently blogged on a major NAAG (National Association of Attorneys General) conference in April on these topics. That conference, which was sponsored by the Mississippi AG, was meant to educate AGs – most of whom are the elected consumer protectors-in-chief in their states – on the complex issues of data loss and misuse, as well as evolving privacy standards. A key takeaway from the conference was that AGs were likely to double-down on privacy enforcement and regulatory change.
Earlier this week, and following closely on the heels of that conference, NAAG held a privacy conference for Consumer Protection Assistant AGs (AAGs). Consumer Protection AAGs are the major enforcement attorneys in AG offices and are the tip-of-the-spear people in charge of privacy enforcement actions and investigations in their states. AAGs attending this session came from far and wide (39 states, plus D.C.) – Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, D.C., Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and Wisconsin.
Topics on which the AAGs were briefed included both data use (particularly the Internet of Things), and data breach and data protection. The NIST Cybersecurity framework was also a prominent agenda topic.
Of particular note, the AAGs were repeatedly credited by Alvaro Bedoya, of the Center on Privacy and Technology at Georgetown Law School, for driving the current national discussion over a federal breach notice law as a result of the dozens of state breach notice laws already on the books. He urged the participants to now move beyond breach notice and into substantive privacy protection and regulation. In so doing, Bedoya (a former staffer for U.S. Sen. Al Franken and Chief Counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law) emphasized that legislative efforts regarding privacy at the federal level have been foiled since 2009 (with little prospect of progress any time soon), and that the states are best equipped to bring about change to the privacy culture in the United States – either by enacting new laws governing privacy for subsequent enforcement, or by initiating investigations and enforcement actions under existing state laws governing unfair or deceptive acts and practices (UDAP laws), and establishing de facto privacy standards through litigation.
Key takeaways from this conference include: entities holding personal data (the definition of which is a moving target) should look for not only increased legislative activity in the states governing privacy and data use, but also increased enforcement activity by the states (and private plaintiffs to the extent permitted under state law). Further, and perhaps most important, states increasingly are considering using existing UDAP laws to pursue privacy enforcement actions – as such, any compliance program that does not contemplate whether data protection and use practices are “unfair” or “deceptive” under existing laws likely are falling short of their intended purpose.