Matthew Fitzsimmons
Matthew Fitzsimmons ()

It was a matter of necessity. Too many times in recent years, the Connecticut Attorney General’s Office has been notified that consumers’ personal information may have fallen into the wrong hands. Retailer Target may be the most highly publicized example.

In response, Attorney General George Jepsen has announced the creation of a privacy and data security department that will work exclusively on investigations and litigation related to consumer privacy and data breaches.

“When I took office in January 2011, it became immediately clear that data privacy and security were growing concerns in our state and across the country,” Jepsen said, noting that he had previously appointed a privacy task force “to address these matters head on. In the four years since, nothing has lessened the importance of our privacy work. … Sadly there is no reason to predict that the demands of privacy and data security concerns will subside in the foreseeable future.”

Assistant Attorney General Matthew Fitzsimmons, who chaired the privacy task force, will head the new privacy and data security department. Fitzsimmons and one other attorney will work exclusively on privacy matters. Three other attorneys will spend part of their time with the department, and assistant attorneys general with expertise in health, finance and other areas of the law will be called in as needed. Fitzsimmons said the AG’s office would continue working closely with the state Department of Consumer Protection on privacy matters.

Fitzsimmons said the workload’s “sheer volume” is reason enough to devote such resources to privacy and data security. Since 2012, Connecticut companies have been required to notify the AG’s office of data breaches involving consumers’ personal information. So far it has received 1,100 notifications.

“These kinds of things are happening a lot,” said Fitzsimmons. “We can’t do a full-size investigation of every one but having a staff looking into those is important.”

The AG’s office has been at the forefront of tackling privacy and data breaches. In 2010, then-Attorney General Richard Blumenthal was the first AG of any state to sue Health Net and its affiliates for violating the federal Health Insurance Portability and Accountability Act. Blumenthal alleged that Health Net failed to secure private patient medical records and financial information of nearly a half million Connecticut enrollees and failed to promptly notify consumers they were endangered by the breach. Health Net paid $250,000 to the state to settle the allegations.

In the past four years under Jepsen, the office has taken a lead role in investigating massive consumer data breaches involving the likes of Anthem Insurance, Target Brands and Home Depot. But Fitzsimmons explained that the issue goes far beyond companies failing to safeguard consumer data that’s stored in their computer systems. He mentioned a case involving Google that took a couple of years to investigate and resolve. As Google drove through neighborhoods across the country to collect information for its mapping service, data also was collected from unsecured wireless networks. Among the data collected and stored were consumers’ emails and texts, passwords and Web-browsing histories.

Connecticut led an eight-state committee that worked to resolve the allegations. Google settled for $7 million in March 2013. Google also was required to destroy the information as part of the settlement.

Though he couldn’t go into much detail because the investigation is ongoing, Fitzsimmons said the department is part of an investigation into the technology company Lenovo Group and the software company Superfish. A software called Superfish Visual Discovery is in the operating systems of certain Lenovo personal computers sold from about September 2014 to January 2015, making it difficult for common antivirus products to detect or remove it.

Many consumers do not know it exists on their personal computer, yet the software allegedly facilitates the ability of hackers to access a computer. Additionally, the Superfish software was intended to track users’ Web searching and browsing activity in order to place additional ad on the sites they visit.

According to the U.S. Department of Homeland Security, the software has a vulnerability that could allow a hacker to read all encrypted browser traffic, impersonate any website or perform other attacks on the user’s computer.

It is these kinds of cases that are keeping Fitzsimmons busy. And the kinds of cases he’s seeing never cease to amaze him, even if they might shock the general public, such as vulnerabilities in some Web cams that allow hackers to spy on you.

“I was honored when the AG asked me to chair the task force and no less honored to be the first chair of this department,” said Fitzsimmons. “It’s going to be an enduring part of the office long after [Jepsen] leaves. I think it’s a great thing for him and really shows his dedication to this.”