In a recent letter to leaders of the House Financial Services Committee, 31 state attorneys general urged Congress not to move forward with the Data Acquisition and Technology Accountability and Security Act, a federal breach notification bill, which aims to create a uniform set of reporting requirements for businesses nationwide. In their letter, the attorneys general argue that states have proven able enforcers of their citizens’ data privacy and security and, as such, the bill’s proposed preemption of state data breach and data security laws is unwarranted.
In particular, the attorneys general object to the bill’s requirement that companies suffering data breaches notify consumers of the breach only once they have determined, based on their own judgment, whether there is “a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss to any consumer.” Leaving it to the breached companies to determine whether consumers have already fallen victim to identity theft or fraud, they say, will lead to less disclosure and may leave many consumers unaware that they are at risk of future harm. Moreover, the attorneys general argue, allowing companies to wait to notify consumers of the breach until after the harm has actually occurred will prevent consumers from taking affirmative measures to protect themselves before the harm happens.
The attorneys general also point out the bill’s failure to recognize that most breaches are relatively small when compared with the larger, and better known, breaches that befell Uber, Equifax, Target and Home Depot. Consequently, they say, by only covering national data breaches that affect 5,000 or more consumers, and by preventing attorneys general from addressing local or regional breaches and nationwide breaches that, while on a smaller scale, nevertheless affect their state residents, the bill leaves the majority of data breaches devoid of any disclosure requirements.
The letter comes amidst increased efforts by industry groups advocating for a national data breach notification law and symbolizes the ongoing debate over how to best regulate the disclosure of data breaches that result in the loss of consumers’ personal information. At a minimum, the attorneys’ general keen interest in protecting their citizens’ data privacy should put companies on notice that, regardless of whether any federal data breach legislation is passed, state attorneys general will continue to focus on enforcing data breach notification laws requiring companies to disclose data breaches.