State attorneys general play an active role in data privacy and security matters. Their involvement is increasing as they grapple with changing technologies and threats, rapidly evolving state laws and their relatively broad consumer protection authority to engage private sector custodians of personal data such as retailers, financial institutions, technology companies, and health systems. In some states, attorneys general also have some level of law enforcement responsibility related to data breaches and privacy matters. The role of the attorneys general vary by state, further complicating compliance for those who may experience a data privacy or security event.
Attorneys general often work together leveraging their resources by initiating multistate litigation against companies resulting in larger settlements and by working closely with federal agencies such as the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), the Federal Trade Commission (FTC), and the U.S. Department of Commerce (DOC). Attorneys general are also branching out from their typical enforcement roles to include policy and legislative initiatives. Attorneys general associations such as the National Association of Attorneys General (NAAG), Republican Attorneys General Association (RAGA), and Democrat Attorneys General Association (DAGA) are making data privacy and security a top priority, frequently hosting panel discussions at their national meetings, and holding policy conferences specific to this topic. The following are some examples of how attorneys general can impact your business regarding data breach and security matters.
State Reporting Requirements
A total of 47 states have legislation requiring entities to notify individuals of breaches involving personally identifiable information. Twenty-three of these states require entities to notify the attorney general of a breach. Some notification statutes are triggered by the number of persons affected by the breach (e.g., when 500 or 1,000 persons are affected). Others require disclosure no matter the size of the breach. As of this year, states requiring some form of attorney general notification are: California, Connecticut, Florida, Idaho, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New York, North Carolina, North Dakota, Oregon, Rhode Island, Vermont, Virginia and Washington. Because state laws in this area are constantly changing, it is important to stay current on breach notification laws for your applicable states.
State Attorney General Litigation and Settlements
Attorneys general are actively involved in bringing litigation and seeking settlements against companies for various matters relating to data breaches. For example, Trump Hotel Collection settled with the New York attorney general to pay $50,000 in penalties when over 70,000 credit card numbers and other personal data were breached. Trump Hotel Collection also agreed to design and implement new data security practices to prevent future breaches.
Recently the Texas attorney general settled with PayPal regarding its Venmo mobile phone app for potential violations of Texas law by not disclosing how the personal information was being used and that it might have publically exposed private information. The settlement required PayPal to pay $175,000 to the state and improve disclosures regarding security and privacy.
Failure to timely notify patients of a breach and inadequate security measures resulted in a consent judgment against Beth Israel Deaconess Medical Center (BIDMC). The Massachusetts Attorney General sued BIDMC after a laptop containing health information of nearly 4,000 patients was stolen from a physician’s office. The lawsuit alleged BIDMC violated state and federal law when it did not notify patients that their information had been compromised until three months after the incident. BIDMC agreed to pay $100,000 and take steps to ensure compliance with data security laws.
A Vermont-based grocery store, Natural Provisions, settled with the Vermont Attorney General after a security breach involving credit card numbers. The settlement required Natural Provisions to upgrade its computer systems beyond the minimum required legal protections and pay a fine to the state. This settlement exemplifies the emerging trend requiring companies to not only pay a monetary penalty, but also make institutional improvements to prevent future breaches.
In November, Adobe settled a multistate action alleging the company did not employ reasonable security measures to protect customer information in violation of consumer protection laws and personal information safeguard statutes. The Connecticut attorney general led the multistate investigation with fourteen other states that involved over 500,000 people. The settlement required Adobe to pay $1 million to the states and review internal security polices at least twice annually.
State Attorney General Policy Initiatives
Many attorneys general are going beyond enforcement and litigation. This year, the Massachusetts Attorney General’s Office hosted a forum on data privacy. Consumer advocates at this forum encouraged attorneys general to pursue enforcement of consumer protection laws. Washington and California attorneys general release annual reports of every data breach incident in their state. Ohio’s Attorney General recently launched CyberOhio, a collection of cybersecurity initiatives to help Ohio businesses prevent data security threats and pursue legislative initiatives. The Maryland Internet Privacy Unit, created in 2013, monitors companies to ensure compliance with state and federal consumer protection laws. The increased policy attention on data breaches is sure to bring more enforcement and investigatory efforts by state attorneys general. Much of the policy development for attorneys general begin with their various national associations such as NAAG, RAGA and DAGA, providing companies with a good opportunity to help inform these state initiatives.
Despite federal regulations and enforcement, companies cannot forget that state attorneys general play a significant and expanding role with data privacy and security matters, including enforcement, prevention, and policy development. Understanding their role and a company’s responsibility in the event of a data breach is critical. Engaging attorneys general before a crisis occurs, and helping shape their policy initiatives are also prudent strategies.