Attorneys general from thirty-one states have signed a letter urging Congress to scrap a proposed federal breach notification law that was introduced by Rep. Blaine Lukemeyer (R-Mo.) and Rep. Carolyn Maloney (D-N.Y.) in an effort to create a national data breach notification and security standard.  The proposed law, known as the Data Acquisition and Technology Accountability and Security Act (the “Draft Bill”), if passed, would require covered entities to, among other things:

  1. Conduct preliminary investigations of data breaches – If a covered entity believes that a breach of data security containing personal information occurred, the covered entity would be required to conduct an immediate investigation (“Preliminary Investigation”) to determine, among other thing, if personal information has or is likely to have been acquired without authorization.
  2. Notify agencies in the event of reasonable risk – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that the data breach resulted in or will result in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify certain governmental entities, such as the Secret Service, the Federal Bureau of Investigation, and other agencies, if the data breach involved personal information relating to 5,000 or more consumers.
  3. Notify consumers in the event of harm – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that a data breach resulted in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify all impacted consumers.

With respect to state enforcement rights, the Draft Bill indicates that state attorneys general may bring civil actions against covered entities for certain violations of the Draft Bill, provided that: (1) the covered entity is not a financial institution, and (2) the attorney general provides prior written notice of any action to the FTC and provides the FTC with a copy of its complaint, except in certain circumstances where such notice may not be feasible.  Additionally, the Draft Bill indicates that the FTC shall have the right to intervene in all state actions and that no state attorney general can bring an action against a covered entity if the FTC has already done so.

Lastly, and likely most controversially, Section 6 of the Draft Bill indicates that the act would “preempt any law, rule, regulation, requirement, standard, or other provision having the force and effect of any law of any state … with respect to securing information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data … .”

So, what is the big deal?  Having a national data breach notification law is a good thing, right?  Well, no … not according to the thirty-two attorneys general who signed the letter to Congress released on March 19.  As explained by these attorneys general, there are several issues of concern with the draft bill, including that it:

  1. “[T]otally preempts all state data breach and data security laws that require notice to consumer and state attorneys general of data breaches,” which would include the states’ consumer data breach notification laws that, as of March 28, 2018, have been enacted by all fifty states.
  2. “Allows entities suffering breaches to determine whether to notify consumers of a breach based on their own judgment of whether there is ‘a reasonable risk’ that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumers.”  This, as they noted, is insufficient and too late, and will result in less transparency to consumers as fewer notifications to consumers will be sent.  It also permits entities that have suffered a data breach to notify consumers after the harm to them has occurred, which limits consumers’ opportunity to take proactive steps to protect themselves from identity theft before it happens.
  3. Fails to acknowledge the fact that data breaches come in all sizes by only addressing large, national breaches affecting 5,000 or more consumers, and prevents attorneys general from learning of or addressing breaches that are smaller in scale but nonetheless victimize residents in their states.
  4. Places consumer reporting agencies and financial institutions out of states’ enforcement reach, which would prevent State attorneys general from pursuing these companies after a security incident.

Considering themselves to be the “chief consumer protection officials” in their respective states, the attorneys general note that there is a place for both state and federal agencies to protect consumers’ personal information, and therefore, recommend that the Draft Bill not preempt state data security and breach notification laws.