Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 1 --Representatives from the offices of three state attorneys general told attendees Oct. 1 at a Bellevue, Wash., convention of the International Association of Privacy Professionals that they are not reluctant to bring actions against companies involved in data breaches.
Moderator Divonne Smoyer, a partner at Dickstein Shapiro LLP in Washington, framed the discussion on state attorneys general at the IAPP Privacy Academy by saying that many people “think that the privacy action really takes place at the federal level and the international level and they more or less give short shrift to the states.”
People see compliance with state regulations and rules “as a matter of rote,” Smoyer said. “They don't really think that states have teeth or that they are going to enforce their laws.”
Almost all states have breach notification laws, and many have data privacy laws, Smoyer said. She added that state attorneys general often have the authority to enforce statutes like the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health and the Children's Online Privacy Protection Act.
In introducing Vermont Attorney General William Sorrell (D), she called him “one of the earliest AGs and still among the few AGs that have exercised their enforcement under HIPAA laws.” Sorrell said, “We're not at all reluctant to bring an enforcement action--(1) to serve as an example to other companies and (2) to have a relatively equal playing field.”
Paula Selis, senior counsel at the Washington State Attorney General's Consumer Protection Division, said Washington participates in multistate data breach litigation. “We pool our resources” by sending out subpoenas to potential targets “and we share that information with each other,” she said. In circumstances where a company did not take enough care to protect the data, a lawsuit might be filed, sometimes simultaneously with a consent decree, she said.
“Washington participates in multistate data breach litigation.”
Paula Selis, Senior Counsel, Washington State Attorney General's Consumer Protection Division
Selis said her office's work compliments the Federal Trade Commission's work. “If the FTC is doing a good job, there may be no good reason for the states to enter into the fray,” she said. “If there are additional laws that we want to enforce--maybe our laws give us more leverage than the FTC's laws--then we might decide it's a case we want to get involved with.”
Although there are some “horror stories” about federal authorities getting involved with enforcement actions at the state level, state attorneys general “are in a pretty good spot” dealing cooperatively with both the FTC and the Consumer Financial Protection Bureau, Sorrell said.
Joanne McNabb, director of privacy education and policy at the Office of the California Attorney General, said that California is one of eight states that has a right to privacy memorialized in its constitution. She said the commitment of California Attorney General Kamala Harris (D) to protecting privacy is reflected by the recent creation of a privacy unit staffed with five attorneys.
Vermont's Sorrell emphasized the importance of creating a collaborative working relationship with companies. He described how his office hired an expert with money from a “big national settlement” to attempt penetrations into corporate computer systems. “If we find vulnerability, we'll tell the company,” he said. “We also do some training with small business on data security issues.”
Washington's Selis added, “Our philosophy is we want to have a relationship before the data breach occurs.”
To contact the reporter on this story: Paul Shukovsky in Seattle at firstname.lastname@example.org.
To contact the editor responsible for this story: Katie W. Johnson at email@example.com.
Additional information on the International Association of Privacy Professionals is available at https://www.privacyassociation.org.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)