On Monday, the International Association of Privacy Professionals (IAPP) hosted a discussion that featured state and federal privacy regulators.  The panel included Maneesha Mithal, Associate Director for the Division of Privacy and Identity Theft at the Federal Trade Commission; Marty Jackley, Attorney General of South Dakota; and Bill Sorrell, Attorney General of Vermont.  The panel was intended to discuss privacy generally, however, the conversation quickly focused on the latest hot topic:  data breach. 

It was acknowledged at the outset of the conversation that the important role state attorneys general play in regulating privacy, both individually and in tandem, is often overlooked.  Ms. Mithal suggested that, for example, while the EU is familiar with the FTC’s enforcement authority and the existence of some federal law, the “story often not told” is that there are “cops on the beat,” and specifically, that the United States has robust state enforcement of privacy protections.

California has long been regarded a pioneer on digital privacy, but on the issue of data security in particular, several state attorneys general have been active advocates.  One of them is Vermont’s Bill Sorrell, who noted at the panel that although his state is known for its progressive politics, a strong libertarian counterpart has made privacy a longstanding issue.  Vermont has recently taken more aggressive steps to protect personal information, and its Security Breach Notice Act requires businesses to notify the AG of a data breach within 14 days.  The AG issued guidance on next steps a business should take in the event of a breach, and also posted on the AG’s website is a list of notice letters from every company that has notified Vermont consumers of security incidents involving personal information.  Connecticut’s AG George Jepsen has also stepped up data-security enforcement, and he supported an amendment to the state’s data-breach law that requires businesses to report security breaches to the AG, along with consumers.  TexasFlorida, and New Mexico are also states to watch:  Texas amended its data-breach law; just last week, Florida AG Pam Bondi announced her priority to work with the state legislature to enhance Florida’s data breach laws; and also last week, the New Mexico House unanimously passed a breach notice bill that would, like Vermont, require businesses to notify the AG within 14 days of discovering a breach. 

Meanwhile, South Dakota is one of the few states that has not yet enacted legislation requiring businesses to notify individuals of security breaches involving personally identifiable information.  So far, forty-six states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have passed such laws, with Alabama, Kentucky, New Mexico, and South Dakota remaining the four states that have not.

As a former United States Attorney and as the chief law enforcement officer of his state, AG Jackley noted that he approaches privacy issues with an eye toward criminal prosecution rather than civil or administrative remedies.  Although his state has no breach-notification law, he mentioned that he has not seen a real need for one, because businesses have been unwilling to “push the envelope with the possibility of criminal indictment.”  Nevertheless, AG Jackley stated that if South Dakota moved to enact a breach-notification statute, Target’s handling of the data breach it suffered last December should serve as a model for transparency and responsiveness.  Praising Target for “doing the right thing” by not hiding information and for being willing to discuss the breach with state and federal enforcement authorities soon after it occurred, AG Jackley said that Target alleviated his initial concerns and caused him to view the business “more as a victim than a target for criminal indictment.”  Once again using Target as an example, AG Jackley also attributed his good working relationships with businesses to their willingness to cooperate despite the absence of a breach-notification law in South Dakota. 

From the FTC’s perspective, Ms. Mithal likewise emphasized the importance of open dialogue with the business community, and she specifically urged businesses to share their facts with the FTC before news stories are published.  Although audience members expressed skepticism at this approach, Ms. Mithal assured that “conditioning” the FTC, even with a quick “check in” to explain what a business knows and does not know about a potential breach, is always preferable to the FTC learning of a big privacy event through other sources. 

Five data-breach bills are currently pending in the U.S. Senate.  All of the bills preempt state laws pertaining to data protection and breach notice, while many of them still allow for state enforcement of federal law.  Although it is unclear whether any federal legislation will pass, states remain focused on the issue.  In 2014 alone, at least seventeen states introduced or are considering security-breach legislation, most of which would amend existing laws.  Stay tuned.