Oct. 1 --Representatives from the offices of three
state attorneys general told attendees Oct. 1 at a Bellevue, Wash., convention
of the International Association of Privacy Professionals that they are not
reluctant to bring actions against companies involved in data breaches.
Moderator Divonne Smoyer, a partner at Dickstein Shapiro LLP in Washington,
framed the discussion on state attorneys general at the IAPP Privacy Academy by
saying that many people “think that the privacy action really takes place at
the federal level and the international level and they more or less give short
shrift to the states.”
People see compliance with state regulations and
rules “as a matter of rote,” Smoyer said. “They don't really think that states
have teeth or that they are going to enforce their laws.”
states have breach notification laws, and many have data privacy laws, Smoyer
said. She added that state attorneys general often have the authority to
enforce statutes like the Health Insurance Portability and Accountability Act,
the Health Information Technology for Economic and Clinical Health and the
Children's Online Privacy Protection Act.
In introducing Vermont
Attorney General William Sorrell (D), she called him “one of the earliest AGs
and still among the few AGs that have exercised their enforcement under HIPAA
laws.” Sorrell said, “We're not at all reluctant to bring an enforcement
action--(1) to serve as an example to other companies and (2) to have a
relatively equal playing field.”
Paula Selis, senior counsel at the Washington State Attorney General's
Consumer Protection Division, said Washington participates in multistate data
breach litigation. “We pool our resources” by sending out subpoenas to
potential targets “and we share that information with each other,” she said.
In circumstances where a company did not take enough care to protect the data,
a lawsuit might be filed, sometimes simultaneously with a consent decree, she
participates in multistate data breach litigation.”
Paula Selis, Senior
Counsel, Washington State Attorney General's Consumer Protection Division
Selis said her office's work compliments the Federal Trade Commission's work.
“If the FTC is doing a good job, there may be no good reason for the states to
enter into the fray,” she said. “If there are additional laws that we want to
enforce--maybe our laws give us more leverage than the FTC's laws--then we
might decide it's a case we want to get involved with.”
are some “horror stories” about federal authorities getting involved with
enforcement actions at the state level, state attorneys general “are in a
pretty good spot” dealing cooperatively with both the FTC and the Consumer
Financial Protection Bureau, Sorrell said.
Joanne McNabb, director of
privacy education and policy at the Office of the California Attorney General,
said that California is one of eight states that has a right to privacy
memorialized in its constitution. She said the commitment of California
Attorney General Kamala Harris (D) to protecting privacy is reflected by the
recent creation of a privacy unit staffed with five attorneys.
McNabb said Harris brought together major
mobile application platform companies to agree to strengthen privacy
notifications and protections to bring them in line with California online
privacy law . Because of Harris's discussions with those companies, McNabb
downloading the app that sucks out all of the information.”
Sorrell emphasized the importance of creating a collaborative working
relationship with companies. He described how his office hired an expert with
money from a “big national settlement” to attempt penetrations into corporate
computer systems. “If we find vulnerability, we'll tell the company,” he said.
“We also do some training with small business on data security issues.”
Washington's Selis added, “Our philosophy is we want to have a relationship
before the data breach occurs.”
To contact the reporter on
this story: Paul Shukovsky in Seattle at firstname.lastname@example.org.
To contact the editor
responsible for this story: Katie W. Johnson at email@example.com.
Additional information on the International Association of Privacy
Professionals is available at https://www.privacyassociation.org.