- It is essential that a federal data breach notification law does not preempt state laws, according to the National Association of Attorneys General (NAAG).
The group wrote a letter to Congress this week, explaining that as many current state data breach notification laws have more protections than proposed federal legislation, states need to have the ability to enact and enforce state breach notification.
Currently, 47 states have passed laws requiring consumers receive notification when their personal information is compromised by a security breach, NAAG explained. Many states have also enacted laws that require companies to adopt “reasonable security practices.”
The group said that many of their members have seen first hand the damage from data breaches, and many attorneys general “have played critical roles” in the recovery process:
In recent years, a number of states have reexamined and updated their data breach notification laws to ensure they continue to protect the sensitive information about consumers being collected. Some states now include notification requirements for compromised biometric data, login credentials for online accounts, and medical information. These categories reflect the significant increase in data collection that has occurred over the past ten years and respond to consumers’ concerns about that increase.
Transparency has also been pushed in recent years, NAAG said in its letter, as many states require attorneys general offices to be notified in the case of a large-scale data breach. Furthermore, states are working together to help prevent future issues. Forty-seven states participate in the Privacy Working group, NAAG stated, which “discusses and jointly investigates data breaches and other privacy matters.”
State attorneys general have first-hand experience, the group added, and they have seen cases where unsecured networks lead to consumers’ information being compromised.
“While many companies have become more sophisticated over time in their security practices, we still frequently encounter situations in which companies do not comply with their own security policies, ignore security warnings, neglect to apply critical software patches, and fail to take other measures to safeguard consumers’ information,” the letter stated.
Overall, state data breach notification laws are essential to ensure consumer identity and financial protection, according to NAAG. Any federal legislation that is passed needs to allow states to continue to enact and enforce the necessary protections.
“As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy,” the group explained. “States have been able to amend their laws and focus their enforcement efforts on those areas most affecting consumers.”
The effectiveness of federal law in relation to data breach notification and data security measures would be hampered if enforcement authority and regulatory authority were placed with the federal government, NAAG said.
A federal agency cannot be tasked with receiving notification for every breach that occurs in the country. While such notification at the federal level may work for large breaches that affect consumers nationwide, it does not work for breaches that affect one state or one region. Many breaches are significant, but not nationwide in their scope. A better solution to the problem is for state attorneys general to also be given timely notification of breaches, as many state laws already require.
To read the entire letter sent to Congress, click here.