State Data Breach Laws Should Preempt Federal Laws, Says NAAG

Yesterday, the National Association of Attorneys General (NAAG) sent a letter addressed to congressional leaders urging them to consider the state laws that have been put in place to protect consumers, and not to diminish the role that state Attorneys General play in enforcing data security and protection laws.

The letter urges congress not to make changes to federal data breach notification and data security laws that would lessen the protections that have been put in place by the states. The letter calls for congress to refrain from introducing data security and data breach notification laws that pre-empt those introduced in each state.

There are a number of bills pending which include data security and breach notification requirements that would pre-empt state laws.


A Similar Request Was made A Decade Ago


This is not the first time the NAAG has written to congress on state security breach notification laws; a similar request was made in 2005. In that letter it was argued that “Pre-emption interferes with state legislatures’ democratic role as laboratories of innovation.” Congressional leaders were also informed back then that “states have been able to respond more quickly to concerns about privacy and identity theft involving personal information, and have enacted laws in these areas years before the federal government.”

Since then state attorneys general have played a vital role in enforcing data security and data protection laws, while also ensuring state residents are properly protected. In the decade since the first letter was penned, the point has been further proved by numerous state actions taken against individuals and organizations found to have allowed security to lapse to the point that protected data was exposed.

Furthermore, the letter points out that in many states, the laws covering data breaches and breach responses offer far greater protections for consumers than federal laws. Some state attorneys general have introduced “innovative laws” to ensure the privacy of state residents is better protected and data better secured. The letter therefore calls for the removal of any “pre-emption provision in any national law on data security and data breach notification”.


A Decade of Experience Gained Dealing with Data Breaches


It was pointed out that over 815,842,526 records have been compromised in 5,000 data breaches since the last letter was sent to congress. States have had to deal with those breaches and help consumers protect themselves against Identity theft, as well as investigating security lapses and taking action against organizations that fail to protect data properly.

The letter says, “As the chief consumer protection officials in our respective states, we have seen first-hand the harm that data breaches and identity theft cause consumers.” The letter also points out that the states are on the front line and are taking action and making great progress.

Since 2003, states have been introducing their own data breach laws and now many are updating them to offer state residents even greater protections. Now 47 states have introduced laws covering data breaches; recent updates include reductions in breach notification period, enforced provision of credit monitoring services, an increase in the types of data that must be protected, and higher fines when there has been a failure to protect data, mitigate risk and warn data breach victims.

Furthermore, the letter points out “Our constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns.” It goes on to say, “Through our work on data breach investigations we understand the complexity of these issues and want to ensure that the progress made at the state level is not lost.”

State Attorneys General are Quick to Respond and Take Action after Data Breaches


Data breaches are often not discovered by healthcare providers. If a data breach is suspected, a call is often made to the state attorney general’s office and investigations are conducted quickly. The response time after a data breach is faster than federal agencies.

It was pointed out that the “Office of the Illinois Attorney General has helped over 38,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts,” although that is just one example of a great many.

“States should also be assured continued flexibility to adapt their state laws to respond to changes in technology and data collection. As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy. States have been able to amend their laws and focus their enforcement efforts on those areas most affecting consumers.”

The letter was sent to Senate Majority Leaders, Honorable Mitch McConnell & Honorable Harry Reid, Speaker of the House, Honorable John Boehner, and House Minority Leader, Nancy Pelosi.

The letter can be read here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.