On July 7, 2015, attorneys general from 47 states and territories sent a letter to Congressional leaders urging them to consider federal data breach notification legislation that does not preempt the states. The move comes on the heels of a data breach announcement made by the Office of Personnel Management, and renewed interest on the Hill in passing federal privacy and data security legislation. Some of the pending bills include preemption provisions.
The attorneys general are consistently vocal about the need for any federal data breach legislation to uphold a state’s right to implement more restrictive state laws and to investigate data breaches that affect their citizens. A group of states sent a similar letter to Congressional leaders in 2005, urging them to respect the work that the state had begun in this area. Illinois Attorney General Lisa Madigan sent the same message to Congress in her February 2015 testimony. The most recent letter emphasized the states’ work in the areas of data security, identity theft, and privacy over the past decade, pointing specifically to the Illinois Attorney General’s work with identity theft victims.
Illinois is not the only state active in the area of data security and privacy. Massachusetts was the first state to pass data security regulations and continues to be at the forefront of large-scale data breach investigations. Connecticut recently created a Privacy and Data Security Department, which furthers the goals of that office’s four-year-old privacy task force. Many states, including Florida, have updated their state data breach notification laws to change with the evolving nature of breaches and breach investigations. California, Indiana, New Jersey, and Texas have also been especially active in this area.
Separate from data breaches, privacy is a hot-button issue for the attorneys general, as well. As Congress considers omnibus privacy legislation that addresses not only data breach notification, but also substantive privacy regulation, the debate over state preemption is likely to heat up. And as we have previously noted, states increasingly are acting in the absence of a breach to investigate privacy practices as unfair or deceptive under state UDAP laws. All businesses should be tuned in to the states’ continued focus on all things privacy.