Warning that a national data breach law would “make consumers less protected,” Indiana Attorney General Greg Zoeller has joined 46 other state and territorial attorneys general in asking Congress to preserve states’ ability to respond to cyber theft.
The group sent a letter Tuesday to majority and minority leaders in the U.S. House of Representatives and U.S. Senate. Referring to recent efforts on Capitol Hill to pass a national law on data breach notification and data security, the attorneys general cautioned against federal preemption of state data breach and security laws.
They wrote that any federal law must not diminish the role states already play in protecting consumers from data breaches and identity theft. Their offices hear directly from affected consumers, the attorneys general stated, and they respond to those complaints and calls.
“Any federal legislation on data breach notification and data security should recognize this important role and not hinder states that are helping their residents,” the letter stated. “Preempting state law would make consumers less protected than they are right now. Our constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns.”
However, in a March 2015 interview with the Indiana Lawyer, Zoeller saw a role for a federal response to cyber security issues. He said the federal government should set the policy for protecting consumers’ personal information.
“I’m an advocate in favor of states’ authority but on something that’s a national problem, frankly a state attorney is not going to be in a strong position to fix it,” Zoeller said.
The letter does not advocate against federal cyber laws. Rather, the attorneys general urge Congress to preserve existing protections available under state laws, ensuring that states can continue to enforce breach notification requirements through their own state laws and that they can enact new laws to respond to new data security threats.
“Placing enforcement authority and regulatory authority with the federal government would hamper the effectiveness of the federal law, especially with respect to data breach notification and data security,” the attorneys general wrote. “Too many breaches occur for any one agency to response effectively to all of them.”
A press release from the Office of the Indiana Attorney General provided an example of the abilities states have under their own laws. In Indiana, the attorney general can pursue enforcement actions against businesses and organizations that fail to notify consumers about security breaches that have placed their personal information in jeopardy. Under the state’s Disclosure of Security Breach law, the attorney general can seek up to $150,000 for data breaches that are not properly disclosed to Hoosier customers.
The AGs’ letter concluded with a call to Congress to allow states to continue to address cyber breaches.
“To ensure that any federal data breach notification law is effective and consumers are afforded the best protection, it is crucial that state attorneys general maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority,” the letter stated.
In 2014, nearly 400 data breaches were reported to the Indiana attorney general’s office. Thus far in 2015, 269 data breaches have been reported. Additionally, the attorney general’s office has received 728 complaints about identity theft this year; more than 1,300 complaints were received last year.