Pennsylvania Attorney General Josh Shapiro on Wednesday told a room full of cyber insurance brokers, underwriters and attorneys at the 2018 NetDiligence Cyber Risk Summit that he is ratcheting up cybersecurity and data protection on his list of priorities.
At the summit in Philadelphia, Shapiro touted his office’s lawsuits and investigations into companies that have failed to disclose data breaches of personal information.
“Historically you have not heard from many Pennsylvania AGs, in part because of some of the challenges my predecessor had, but really in part because this is not an area that we have historically done a lot of work in,” Shapiro said.
Shapiro explained that when he took office in 2017, he saw cybersecurity as a real threat and wanted to focus on three main elements of the problem: prevention and education, building up defense capabilities, and creating collaborative relationships across law enforcement to combat the threat.
He said that with 89 percent of Americans online, he wants to protect the integrity of the internet. Protecting that integrity, Shapiro said, is why he has joined with other state attorneys general to file suit against the Federal Communications Commission over the commission’s decision to scrap net neutrality.
Net neutrality, which guarantees equal treatment of content and applications online, ceased to be the law of the land this week.
Shapiro said that he believes the way the FCC allegedly used over 2 million fake comments to bolster its argument to get rid of net neutrality was illegal.
“What we know right now is that we don’t have a Congress who can act [on net neutrality]. And we have an FCC who acted, I believe, in an unlawful manner. In the absence of legislation, we will go to court to defend people’s rights,” Shapiro said.
As far as combating data breaches, Shapiro said that he is involved in multistate investigations against Facebook and Equifax. He also said that he has filed a lawsuit against Uber for its failure to report a data breach for over a year. The alleged breach exposed the personal information of over 13,000 Uber drivers in Pennsylvania.
“Sitting on that information for a year is not reasonable,” Shapiro said.
With that lawsuit, Shapiro said Uber could be looking at a $13.5 million fine.
The attorney general explained that in Pennsylvania, companies are required to report a data breach “within a reasonable amount of time,” and that he has lobbied the Pennsylvania legislature to give additional “teeth” to that statute.
“I intend to rely on that statute more and more to hold companies accountable when they fail to notify,” Shapiro said.
For the prevention of data breaches, Shapiro said, there needs to be a change in corporate culture.
“I believe that these data breaches can’t just be looked at through the prism of technology. They can’t just be considered technical flaws. I think these data breaches have as much to do with economics and greed as they do about technology,” Shapiro said.