Reports of data breaches fill today’s news feeds with alarming frequency. Given the inevitability of breaches—including high-profile ones—state attorneys general are taking a more active role in helping consumers deal with the repercussions of a data breach, investigate data security lapses, and enforce data breach notification laws.
In the 2018 Data Security Incident Response Report, the legal experts at BakerHostetler wrote: “In the wake of several recent high-profile incidents, regulators are taking a more aggressive role in investigating data breaches. We are seeing increases in both the number of inquiries and the speed with which the inquiries are made. No longer confined to a few active state attorneys general (AGs), investigations may be opened by any AG whose state’s residents are affected.”
And back in 2015, the National Association of Attorneys General (NAAG) wrote a letter to Congress explaining that “any additional protections afforded consumers by a federal law must not diminish the role states already play protecting consumers from data breaches and identity theft.” It also stressed the importance of states continuing to set the pace to enact and enforce breach notification law.
Keeping abreast of data breaches is critical to performing this work. Thus in 2018, we saw several states add a requirement to notify the attorney general in the event of a breach. NAAG’s letter to Congress stated: “This requirement enables those offices to more quickly respond to breaches and accurately provide information to concerned consumers. The much-needed transparency over data breaches that has been achieved in recent years is largely attributable to these requirements at the state level.”
Regulatory disparities from coast to coast
One interesting nuance of this requirement is the varying number of impacted individuals that would trigger the notification obligation. For example:
- Arizona HB 2154 requires the attorney general to be notified if more than 1,000 residents require notification.
- Delaware HB 180 and Colorado HB 1128 both stipulate the attorney general must be notified if more than 500 residents are affected.
- South Dakota SB 62 requires notification to the attorney general of any breach of system security that affects more than 250 residents.
Another outlier is that some states require attorney general notification when notice to individuals is not required due to a determination of unlikely harm to those individuals. For example, when South Dakota’s breach notification law went into effect in July 2018, a covered entity, defined under the law as an “information holder,” is not required to notify affected individuals if, “following an appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.”
Changes to existing laws also have an impact. Massachusetts recently amended its law to expand the content of notifications to the attorney general, including whether or not the breached entity maintains a written information security program and attesting that the credit monitoring services offered to affected residents are in compliance with the statute’s new requirements.
Lastly, we would be remiss in discussing the role of the state attorney general if we didn’t call out the prominent role of the California Attorney General in the forthcoming California Consumer Privacy Act (CCPA), which has an effective date of January 1, 2020. The law authorizes the attorney general’s office to enforce the law. The state attorney general also began the CCPA rulemaking process in December 2018 with public forums. In February of 2019, California Attorney General Xavier Becerra together with Senator Jackson introduced a proposed amendment to the CCPA that is intended to strengthen and clarify the CCPA.
Note: The CCPA introduces key privacy requirements for businesses and grants consumers new rights regarding their personal information, but does not currently add to or change breach notification requirements under existing California civil code. RADAR provides incident and jurisdiction-specific decision support for privacy incidents as they apply under California civil code.
Staying on top of the regulatory game
As with other regulatory trends we’ve been tracking, attorney general notification requirements add a layer of complexity to your breach response program. In the event of a breach, this is a key deadline that you will need to track, and one more notification you may need to create and send. Adding to this complexity, the actual contact information and process for notifying a state attorney general can sometimes be difficult to identify.
Breach notification laws—including those with state attorney general requirements—create a complicated landscape for privacy, security, and legal teams responsible for risk mitigation and regulatory compliance. The RADAR regulatory team eases this challenge by rigorously tracking changes in data breach notification laws and incorporating the changes into the RADAR platform—helping ensure compliance with all state, federal, and international data breach notification laws.
Read the entire blog series here:
You can also learn more by downloading the free ebook: Changing Data Breach Notification Laws: Regulatory Trends.