Rutledge Urges Congress to Preserve State Authority to Enforce Data Breach and Security Laws
July 7, 2015
LITTLE ROCK – Arkansas Attorney General Leslie Rutledge today co-sponsored a bipartisan, multistate letter to the U.S. Congress in an effort to ensure that any future federal data breach notification or data security law provides consumers with the best protection.
The letter, signed by 47 attorneys general, emphasizes the importance of maintaining States’ authority to enforce data breach and data security laws, as well as their ability to enact laws to address future data security risks.
Citing recent efforts in Congress to pass a national law on data breach notification and data security, Rutledge and other attorneys general caution against federal preemption of State data breach and security law and argue that any federal law must not diminish the important role States already have to protect consumers from data breaches and identity theft.
“Every day it seems like Americans are faced with another announcement that their data has been hacked,” said Attorney General Rutledge. “These breaches are scary, and Congress must realize that attorneys general and the States are in a much better position to protect consumers from identity theft and data breaches. Along with 46 of my colleagues, I urge Congress to carefully consider the role of the States before it takes action on any data security laws.”
The letter urges Congress to preserve existing protections under State law to ensure that States can continue to enforce breach notification requirements under their own State laws, to enact new laws to respond to new data security threats, and to not hinder States that are helping their residents by preempting state data breach and security laws.
The letter points out a number of concerns with federal preemption of State data breach and security laws, including:
- Data breaches and identity theft continue to cause significant harm to consumers. Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers.
- Data security vulnerabilities are too common. States frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive information entrusted to them, putting consumers at unnecessary risk. Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.
- States play an important role responding to data breaches and identity theft. The States have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing important assistance to consumers who have been impacted and investigating the causes to determine if reasonable data securities were in place. Forty-seven states now have laws requiring data collectors to notify consumers when their personal information has been compromised, and a number of states have also passed laws requiring companies to adopt reasonable data security practices.
Today’s letter, co-sponsored by Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.
A copy of the letter is available here.