The draft bill, “Data Acquisition and Technology Accountability and Security Act,” has led 32 state attorneys general to release a letter urging Congress to avoid preempting state data breach and data security laws.
On February 16, 2018, Representatives Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) introduced the draft bill in the House of Representatives, which would establish, (i) sweeping standards for data protection across various industries, (ii) federal post-data breach notification requirements, and (iii) establish a process that covered entities must follow to notify law enforcement, regulators, and victims following different types of data breaches.
The attorneys general letter, released by the Illinois Attorney General Lisa Madigan on March 19, 2018, begins by noting that the attorneys general offices play a primary role in consumer protection, and often hear from consumers following a large data breach. The attorneys general reference the recent 2017 Equifax data breach as a prime example of when attorneys general had to intervene in order to protect consumers. The letter then notes that the draft bill “appears to place Equifax and other consumer reporting agencies and financial institutions out of states’ enforcement reach.”
As stated by the attorneys general, the draft bill “totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.” The preemptive effect of the draft bill is made clear by Section 6 of the draft bill, which states in relevant part that, “[t]his Act preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State . . . with respect to securing information from unauthorized access or acquisition, including notification of unauthorized access of acquisition of data . . . .”
Section 5 of the draft bill does proceed to grant a right of civil action to the attorney general of a State when there is “reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any covered entity that violates [the protection and notification standards of this Act . . .” However, the draft bill also states that in any of these cases, the Federal Trade Commission (FTC) may intervene in the case, and that a State attorney general may not proceed to bring action against a defendant. With those provisions, as well as the FTC’s given ability to control civil actions, the draft bill does appear to limit the effectiveness of the attorneys general’s ability to protect consumers in their states.
Theletter goes on to say that the draft bill appears to give discretion to entities that have suffered a data breach. Specifically, entities are allowed to determine whether to notify consumers of a breach based on the entities’ assessment of whether there is “a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer.” This approach, the attorneys general argue, will result in less transparency to the consumer, as well as fewer notifications to the consumer. Further, the attorneys general argue that the draft bill will permit entities that have suffered a data breach to notify the consumer after the harm to them has occurred, thus leaving the consumers without the ability to take pro-active steps to protect themselves after a breach occurs.
The letter closes by stating that state data breach notification requirements, as opposed to federal requirements, have led to progress in transparency surrounding data breaches and more stringent data security fixes in companies. The letter also notes that while large breaches, like those that occurred at Equifax, Uber, and Target, gain the most national media and consumer attention, most data breaches are far smaller and occur at a more regional or local level. The attorneys general argue that the draft bill fails to acknowledge this, and only addresses those data breaches affecting 5,000 or more consumers.
Overall, the attorneys general ask that the interests of state and federal agencies in data breaches and consumer protection be balanced, and that Congress should not preempt state data security and breach notification laws.
In addition to Illinois, the following states attorneys general joined in the signing of the letter to Congress: Alabama, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Washington and Wisconsin.
Notably, state attorneys general have previously sent letters to Congress opposing preemption of state breach notification laws in both 2005 and 2015, with 44 and 47 attorneys general co-signing the letters, respectively.