Letter Signed By Schneiderman And 46 Other State Attorneys General Cautions Congress About The Potential For Federal Legislation To Diminish State Data Breach And Security Law
New York—Attorney General Eric T. Schneiderman today joined 46 other Attorneys General who signed onto a multistate letter to U.S. Congress emphasizing the importance of maintaining states’ authority to enforce data breach and data security laws, and their ability to enact laws to address future data security risks. Citing recent efforts in Congress to pass a national law on data breach notification and data security, this bipartisan effort cautions against federal preemption of state data breach and security law and argues that any federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.
“Consumers in New York and across the country are increasingly at risk of data-breaches,” said Attorney General Schneiderman. “In New York, my office has introduced legislation that would significantly strengthen privacy safeguards in our state. As other states join the effort to enact data security laws, we must ensure that consumers are protected by the toughest safeguards possible.”
The letter points out a number of concerns with federal preemption of state data breach and security laws, including:
- Data breaches and identity theft continue to cause significant harm to consumers.Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers – primarily financial account information, Social Security numbers or medical information. Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100 on average according to one source.
- Data security vulnerabilities are too common.States frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers’ personal information at unnecessary risk. Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.
- States play an important role responding to data breaches and identity theft. The States have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing important assistance to consumers who have been impacted by data breaches or who suffer identity theft or fraud as a result, and investigating the causes of data breaches to determine whether the data collector experiencing the breach had reasonable data security in place. Forty-seven states now have laws requiring data collectors to notify consumers when their personal information has been compromised by a data breach, and a number of states have also passed laws requiring companies to adopt reasonable data security practices.
According to a report issued by Attorney General Schneiderman in July, 2014, the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers were exposed which cost the public and private sectors in New York upward of $1.37 billion in 2013 alone.
In 2005, 44 state attorneys general wrote a similar letter to Congress calling for a national law on breach notification that did not preempt state enforcement or state law.
Today’s letter, co-sponsored by Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, North Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.