As Congress considers enacting a national law regarding data-breach notifications, Connecticut and most other states worry that such a law would potentially infringe on their right to investigate breaches.
Connecticut Attorney General George Jepsen and 46 other state attorneys general on Tuesday sent a letter to Congressional leaders, asking them to preserve states’ abilities to investigate and take action in response to data breaches impacting their residents.
There are eight bills before Congress addressing data security and data breach notification. According to Jepsen, while the bills differ in the protections they would offer consumers, all but one would pre-empt state laws and enforcement efforts.
“It would be a serious error for the federal government to pre-empt states from investigating and enforcing data privacy and security laws,” Jepsen said in a statement. “State attorneys general, often working together on a bipartisan basis, have become experienced, nimble and effective investigators while also working proactively within the business community to promote increased awareness and best practices.”
The attorneys general sent the letter to Senate Majority Leader Mitch McConnell, Speaker of the House John Boehner, Senate Minority Leader Harry Reid, and House Minority Leader Nancy Pelosi.
Since 2005, roughly 5,000 data breaches have compromised nearly 816 million records, the letter said. Such breaches put consumers’ personal information — financial account numbers, Social Security numbers, and medical information, most often — at risk, the attorneys general said.
The greatest fear for many when it comes to data breaches is identity theft, when thieves use consumers’ personal information to impersonate them.
Some of the largest breaches in recent years have taken place at major retail chains, including Target, Home Depot, and TJX Companies. Among those, the personal data of hundreds of millions of consumers was put at risk.
In Connecticut, Jepsen said his office has received more than 400 data breach notifications annually since the state’s breach notification law was amended in 2012 to mandate that his office be notified.
“To suggest that federal law enforcement officials would have the resources and abilities to follow up on every single breach notification in order to protect consumers in the same manner in which attorneys general now operate is, I believe, misguided,” Jepsen said.
States started adopting data breach notification laws in 2003, and 47 states have passed laws requiring data collectors to notify consumers when their personal information has been compromised.
“States are on the front line in helping consumers deal with the repercussions of a data breach,” the attorneys general said in the letter. “Our offices have helped tens of thousands of consumers remove fraudulent charges from their financial accounts and repair bad credit caused by identity theft. We also work to prevent the likelihood of identity theft by ensuring data collectors take the necessary steps to protect consumers’ information.”
Just last month, Connecticut lawmakers voted to strengthen the state’s data breach notification law, requiring businesses to notify victims within 90 days and offer at least one year of identity theft protection. The bill became law July 1.
“It is important that any federal legislation ensure that states can continue to enforce breach notification requirements under their own state laws,” the letter from the attorneys general said. “States also should have the fight to adapt their laws to respond to changes in technology and data collection.”