Why State AGs Are Panning Proposed Federal Breach Notification Law
States worry the Data Acquisition and Technology Accountability and Security Act would restrict their ability to go after enterprises that keep breaches hidden.
April 04, 2018 at 12:17 PM
6 minute read
The original version of this story was published on Legal Tech News
Responding to frustration at how credit-reporting agency Equifax disclosed its 2017 breach affecting more than 145 million U.S. consumers, U.S. Reps. Blaine Luetkemeyer, R-Missouri, and Carolyn Maloney, D-New York, have circulated a draft bill to create a federal breach notification law.
To be sure, the Data Acquisition and Technology Accountability and Security Act is still only a draft and hasn't been officially filed by its two co-sponsors. But the bill has already caught the attention of dozens of state attorneys general that have publicly come out in opposition, arguing the proposed law would pre-empt and hamper their prosecutions.
In a letter to Congress, state attorneys general from 31 states panned the proposed bill, arguing it “totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorney general of data breaches.”
The letter went on to call the bill “insufficient,” declaring it will “result in less transparency for consumers” and open them up to more harm.
The Letter of the Law
At stake is a whether a higher federal standard for prosecution would not only restrain states from going after breached companies that run afoul of their laws, but also inhibit their ability to extract a financial toll in federal court on companies that keep breaches secret.
The proposed law would apply to “covered entities,” which it defines as “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”
Among other things, the bill would require covered entities to designate people within their organization to oversee and implement cybersecurity best practices, and “maintain reasonable procedures for the security of personal information by third parties.” Covered entities would also be required to conduct an “immediate investigation” if they believe personal information has been comprised, and notify certain federal and credit-reporting agencies should a breach include the data of 5,000 or more consumers. And if there is “a reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers,” covered entities must notify consumers of the breach.
The legislation empowers state attorneys general to bring civil actions against covered entities who violate the bill's provisions in federal courts, except if those entities are financial institutions, who will then be prosecuted by agencies empowered under the Gramm-Leach-Bliley Act. States also have to immediately notify the Federal Trade Commission on bringing action under the bill, and the commission may intervene in the case at any time. And should the FTC first initiate an action against a covered entity under the legislation, state attorneys general are not allowed to bring additional actions under the law against the same covered entity.
What It Means for States
In effect, since the bill only requires companies to notify consumers of a data breach when the breach poses a “reasonable risk” of injury, states will no longer be able to go after companies in federal court solely on the basis of them keeping breaches secret. By comparison, state attorneys general currently have the ability to prosecute breached companies “even if a consumer is not harmed or injured,” explained Joseph Jacquot, a partner at Foley & Lardner who formerly served as chief deputy attorney general of Florida and deputy chief counsel of the U.S. Senate Judiciary Committee.
As an example, Jacquot pointed to the $18.5 million settlement Target paid 47 states and the District of Columbia in May 2017, relating to the company's 2013 breach. Because the action taken by the states was not related to actual consumer injury, the settlement did not go to consumers affected by the breach.
Instead, the court ordered it to be used to pay for attorney fees and the cost of the investigation or to “be placed in or applied to, the consumer protection law enforcement, including future consumer protection or privacy enforcement, consumer education, litigation, or local consumer aid fund or revolving fund.”
Under the new act, however, states would be unable to band together in federal court to obtain such a settlement to fund their consumer protection programs.
But some dismiss the notion that a federal breach notification law that empowers the FTC will be a less useful cybersecurity deterrent than current state-launched prosecutions. “I think that taking anything to a federal agency like the FTC is always more powerful,” said Dimitri Sirota, CEO of compliance solutions provider BigID. “You just need to equip these regulators with teeth, they just need the legislation to provide them with enough of a stick to affect behavior.”
What's more, others argue that the legal pre-emption the proposed bill would enact on states is nothing entirely new. Jacquot noted that “this is the same structure under the Consumer Financial Protection Bureau. … State attorneys general are able to enforce any CFPB rule, and they can do that in state or federal courts. But if the CFPB wants to take over a case, they can, and I haven't heard anyone raise an issue with that.”
How this criticism by the state attorneys general will affect the proposed bill remains to be seen. But Jacquot did note that although the letter included 31 state attorneys general, it did not include two-thirds of them nationwide, the minimum amount needed for an “official letter of the National Association of Attorneys General.”
This may have less impact on Congress “because rather than speaking for all attorneys general, it's a handful of attorneys general that might have their particular reasons why they would write such a letter,” Jacquot said.
Still, 31 state attorneys general is a significant amount. And at the very least, it shows that many states believe the law has a chance of getting passed.
“Frankly, it seems like a very likely area where you will see some legislation before the midterms,” Sirota said. “Even given how many challenges there are in getting a unified approach to passing bills, this seems to be something where it crosses party lines.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
'None of Us Like It': How Expedited Summer Associate Recruiting Affects Law Students and the Firms Hiring Them

After Shutting USAID, Trump Eyes Department of Education, CFPB

'A Shock to the System’: Some Government Attorneys Are Forced Out, While Others Weigh Job Options
7 minute read
GOP Now Holds FTC Gavel, but Dems Signal They'll Be a Rowdy Minority
6 minute readTrending Stories
- 1New Atlanta Litigation Firm Breaks Away From Swift Currie
- 2Florida Law Schools Are Seeing a Bump in Applications for 2025, After Recent Declines at Flagship Schools
- 3Processes, Challenges and Solutions In Lateral Partner Integration
- 4Attorneys 'On the Move': Herrick Bolsters Tech Practice with IP Partner; Cozen O’Connor Adds Member to Its Fund Formation Group
- 5NJ Jury Awards $4.5M After Woman Trips on Carpet
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250