Recently, Republican attorneys general from across the nation gathered in Scottsdale, Arizona, for their association’s annual fall conference. The purpose of the conference was to discuss a variety of issues facing the state attorneys general and businesses in their states. McGuireWoods attorneys attended the conference’s data privacy panel discussion, led by Attorneys General Pam Bondi (R-FL) and Sam Olen (R-GA).
In many instances, the state attorney general is the “front-line” regulator dealing with companies that have suffered data privacy breach incidents. Since state attorneys general rank consumer protection as one of their top priorities, how they view such incidents has a direct impact on how a company can expect to be treated should it suffer a data breach.
While very little new ground was broken in the discussion, it is noteworthy that data privacy and companies’ responses to breaches regularly make the agenda of such conferences, whether it is the Republican Attorneys General Association, the Democratic Attorneys General Association or the National Attorneys General Association.
One issue that garnered significant discussion was the myriad of data breach notification laws across the county and the burden this places on businesses in developing comprehensive data breach notification procedures that are compliant across states. Notwithstanding this burden, the vast majority of state attorneys general, Republican and Democrat, oppose a national data breach notification law that would preempt the various state notification laws.
When a breach occurs, the attorneys general noted, their first course of action would entail a review of the existing data security measures undertaken by a company. Ensuring that the data security measures are up to date with best practices would go a long way in alleviating concerns that the company was negligent in its security measures and more likely to experience a successful breach. Often, the difference between the breach being viewed as an isolated incident, as opposed to being a reason to open a broader data security investigation, rests upon the actions taken prior to the breach occurring and the length of time it took to discover the breach.
The attorneys general also discussed the different approaches they take in dealing with a company that has suffered a breach. It was apparent that their preference is to work in a collaborative fashion to address protecting consumers and determining the source of the breach. However, the attorneys general were also clear that the real victims in a breach of customer data are the customers and not the company.
The attorneys general encouraged companies that have experienced breaches to be ready to discuss with the state attorneys general the steps they are prepared to take to strengthen security and to mitigate such risk in the future. Companies that are not prepared for that discussion run the risk of state attorneys general quickly forming their own opinions as to what should be required for each company.
As the participants in this discussion made clear, it is hard to be sympathetic to companies that have done little to protect themselves or that fail to evolve with the changing nature of cyber threats to company assets such as consumers’ personal information.
While the data breach discussion may seem mundane in comparison to the implications of the U.S. Safe Harbor agreement being declared invalid, the discussion at this conference is a good reminder that companies need to pay attention to the basics here at home when it comes to protecting customer data. State attorneys general wield a tremendous amount of investigatory power and they will use that power if they believe a company is not forthcoming in details regarding breaches or if such companies fail to take seriously their obligations to implement procedures and technology to mitigate such risks for the future.