Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 1 --Representatives from the offices of three state attorneys general told attendees Oct. 1 at a Bellevue, Wash., convention of the International Association of Privacy Professionals that they are not reluctant to bring actions against companies involved in data breaches.
Moderator Divonne Smoyer, a partner at Dickstein Shapiro LLP in Washington, framed the discussion on state attorneys general at the IAPP Privacy Academy by saying that many people “think that the privacy action really takes place at the federal level and the international level and they more or less give short shrift to the states.”
People see compliance with state regulations and rules “as a matter of rote,” Smoyer said. “They don't really think that states have teeth or that they are going to enforce their laws.”
Almost all states have breach notification laws, and many have data privacy laws, Smoyer said. She added that state attorneys general often have the authority to enforce statutes like the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health and the Children's Online Privacy Protection Act.
In introducing Vermont Attorney General William Sorrell (D), she called him “one of the earliest AGs and still among the few AGs that have exercised their enforcement under HIPAA laws.” Sorrell said, “We're not at all reluctant to bring an enforcement action--(1) to serve as an example to other companies and (2) to have a relatively equal playing field.”
Paula Selis, senior counsel at the Washington State Attorney General's Consumer Protection Division, said Washington participates in multistate data breach litigation. “We pool our resources” by sending out subpoenas to potential targets “and we share that information with each other,” she said. In circumstances where a company did not take enough care to protect the data, a lawsuit might be filed, sometimes simultaneously with a consent decree, she said.
“Washington participates in multistate data breach litigation.”
Paula Selis, Senior Counsel, Washington State Attorney General's Consumer Protection Division
Selis said her office's work compliments the Federal Trade Commission's work. “If the FTC is doing a good job, there may be no good reason for the states to enter into the fray,” she said. “If there are additional laws that we want to enforce--maybe our laws give us more leverage than the FTC's laws--then we might decide it's a case we want to get involved with.”
Although there are some “horror stories” about federal authorities getting involved with enforcement actions at the state level, state attorneys general “are in a pretty good spot” dealing cooperatively with both the FTC and the Consumer Financial Protection Bureau, Sorrell said.
Joanne McNabb, director of privacy education and policy at the Office of the California Attorney General, said that California is one of eight states that has a right to privacy memorialized in its constitution. She said the commitment of California Attorney General Kamala Harris (D) to protecting privacy is reflected by the recent creation of a privacy unit staffed with five attorneys.
Vermont's Sorrell emphasized the importance of creating a collaborative working relationship with companies. He described how his office hired an expert with money from a “big national settlement” to attempt penetrations into corporate computer systems. “If we find vulnerability, we'll tell the company,” he said. “We also do some training with small business on data security issues.”
Washington's Selis added, “Our philosophy is we want to have a relationship before the data breach occurs.”
To contact the reporter on this story: Paul Shukovsky in Seattle at firstname.lastname@example.org.
To contact the editor responsible for this story: Katie W. Johnson at email@example.com.
Additional information on the International Association of Privacy Professionals is available at https://www.privacyassociation.org.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)