Responding to frustration at how credit-reporting agency Equifax disclosed its 2017 breach affecting more than 145 million U.S. consumers, U.S. Reps. Blaine Luetkemeyer, R-Missouri, and Carolyn Maloney, D-New York, have circulated a draft bill to create a federal breach notification law.
To be sure, the Data Acquisition and Technology Accountability and Security Act is still only a draft and hasn’t been officially filed by its two co-sponsors. But the bill has already caught the attention of dozens of state attorneys general that have publicly come out in opposition, arguing the proposed law would pre-empt and hamper their prosecutions.
In a letter to Congress, state attorneys general from 31 states—including California AG Xavier Becerra—panned the proposed bill, arguing it “totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorney general of data breaches.”
The letter went on to call the bill “insufficient,” declaring it will “result in less transparency for consumers” and open them up to more harm.
The Letter of the Law
At stake is a whether a higher federal standard for prosecution would not only restrain states from going after breached companies that run afoul of their laws, but also inhibit their ability to extract a financial toll in federal court on companies that keep breaches secret.
The proposed law would apply to “covered entities,” which it defines as “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”
Among other things, the bill would require covered entities to designate people within their organization to oversee and implement cybersecurity best practices, and “maintain reasonable procedures for the security of personal information by third parties.” Covered entities would also be required to conduct an “immediate investigation” if they believe personal information has been comprised, and notify certain federal and credit-reporting agencies should a breach include the data of 5,000 or more consumers. And if there is “a reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers,” covered entities must notify consumers of the breach.
The legislation empowers state attorneys general to bring civil actions against covered entities who violate the bill’s provisions in federal courts, except if those entities are financial institutions, who will then be prosecuted by agencies empowered under the Gramm-Leach-Bliley Act. States also have to immediately notify the Federal Trade Commission on bringing action under the bill, and the commission may intervene in the case at any time. And should the FTC first initiate an action against a covered entity under the legislation, state attorneys general are not allowed to bring additional actions under the law against the same covered entity.
What It Means for States
In effect, since the bill only requires companies to notify consumers of a data breach when the breach poses a “reasonable risk” of injury, states will no longer be able to go after companies in federal court solely on the basis of them keeping breaches secret. By comparison, state attorneys general currently have the ability to prosecute breached companies “even if a consumer is not harmed or injured,” explained Joseph Jacquot, a partner at Foley & Lardner who formerly served as chief deputy attorney general of Florida and deputy chief counsel of the U.S. Senate Judiciary Committee.
As an example, Jacquot pointed to the $18.5 million settlement Target paid 47 states and the District of Columbia in May 2017, relating to the company’s 2013 breach. Because the action taken by the states was not related to actual consumer injury, the settlement did not go to consumers affected by the breach.
Instead, the court ordered it to be used to pay for attorney fees and the cost of the investigation or to “be placed in or applied to, the consumer protection law enforcement, including future consumer protection or privacy enforcement, consumer education, litigation, or local consumer aid fund or revolving fund.”
Under the new act, however, states would be unable to band together in federal court to obtain such a settlement to fund their consumer protection programs.
But some dismiss the notion that a federal breach notification law that empowers the FTC will be a less useful cybersecurity deterrent than current state-launched prosecutions. “I think that taking anything to a federal agency like the FTC is always more powerful,” said Dimitri Sirota, CEO of compliance solutions provider BigID. “You just need to equip these regulators with teeth, they just need the legislation to provide them with enough of a stick to affect behavior.”
What’s more, others argue that the legal pre-emption the proposed bill would enact on states is nothing entirely new. Jacquot noted that “this is the same structure under the Consumer Financial Protection Bureau. … State attorneys general are able to enforce any CFPB rule, and they can do that in state or federal courts. But if the CFPB wants to take over a case, they can, and I haven’t heard anyone raise an issue with that.”
How this criticism by the state attorneys general will affect the proposed bill remains to be seen. But Jacquot did note that although the letter included 31 state attorneys general, it did not include two-thirds of them nationwide, the minimum amount needed for an “official letter of the National Association of Attorneys General.”
This may have less impact on Congress “because rather than speaking for all attorneys general, it’s a handful of attorneys general that might have their particular reasons why they would write such a letter,” Jacquot said.
Still, 31 state attorneys general is a significant amount. And at the very least, it shows that many states believe the law has a chance of getting passed.
“Frankly, it seems like a very likely area where you will see some legislation before the midterms,” Sirota said. “Even given how many challenges there are in getting a unified approach to passing bills, this seems to be something where it crosses party lines.”