Coalition of 32 State AGs Outline Opposition to Federal Preemption of State Data Breach Notification Laws

Digest Reports Privacy

On March 19, 2018, a bipartisan coalition of 32 state Attorneys General outlined their opposition to the House draft Data Acquisition and Technology Accountability and Security Act, which was introduced by Representative Luetkemeyer (R-MO) and Representative Maloney (D-NY) on February 16, 2018. According to the U.S. House of Representatives Committee on Financial Services staff, the bill would “replace the current patchwork of state and federal regulations for data breaches” with federal requirements for data security and notification measures. The bill would also establish a federal oversight mechanism led by the Federal Trade Commission (“FTC”), as well as a technology-neural “reasonableness” standard for data security. This standard would be flexible and take many factors into account, including the “size and complexity of the covered entity,” as well as the nature of its activities.

In their letter to the chairs of the House Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit, the coalition of Attorneys General argue against specific provisions of the draft bill, as well as against federal preemption of state data breach and data security laws more generally.

The Attorneys General, led by Illinois Attorney General Lisa Madigan, argue that the bill is deficient in three ways. First, the bill would give discretion to the entity suffering the breach about whether to notify consumers, using its “own judgment of whether or not there is ‘a reasonable risk that the breach of data security has resulted in identify theft, fraud, or economic loss to any consumer.” This would preempt stronger state laws, including ones which mandate notification to consumers and to state Attorneys General. Second, the bill would allow breached companies to notify consumers after the harm has occurred. The coalition of Attorneys General argues that legislation needs to mandate an immediate notification so that consumers can “take pro-active steps to protect themselves from identity theft before it happens.” Third, the draft bill addresses only “large, national breaches affecting 5,000 or more consumers.” The Attorneys General note that most breaches are local or regional, and involve fewer than 5,000 residents.

The coalition of Attorneys General is opposed to a national data breach law that would preempt states’ authority to protect their respective consumers. The coalition asserts, “there is a place for both state and federal agencies to protect consumers’ important personal information.” Groups of Attorneys General have previously written to Congress opposing federal preemption of state breach notification laws in 2005 and 2015. To date, there is no federal data breach notification legislation. Over the past 15 years, states have gradually adopted data breach notification laws: California was the first state to enact a data breach notification law in 2003; Alabama became the last state to do so on March 28, 2018.

Groups such as the Electronic Privacy Information Center (“EPIC”) have criticized the draft bill. EPIC criticized the bill’s provision where the FTC serves an oversight role, asserting that the FTC has “failed to pursue important data breach cases.” In its feedback on the draft bill, the Consumers Union highlighted its “strong” opposition to the bill in its current form, especially the bill’s “extreme” preemption provisions, which it argues leaves consumers vulnerable.

However, many industry groups have advocated for federal legislation and preemption. The American Bankers Association criticized the “patchwork of state laws,” which it asserts may “have inconsistent and conflicting standards.” In the Subcommittee’s March 7th hearing on the bill, Representative Luetkemeyer said the bill sought to remedy the existing “regulatory labyrinth that causes compliance nightmares…This is a national problem that requires an immediate national solution.”

Experts predict that the bipartisan nature of the push for data breach notification laws makes it “a very likely area where you will see some legislation before the midterm[s] [elections].”  

 

Saranna Soroka is a 1L at Harvard Law School. Saranna is a Production Editor and an Outreach Editor for the Harvard Journal of Law & Technology.