State Attorneys General Are Crucial Force In Enforcement of Data Breach Statutes

By Paul Shukovsky  

Oct. 1 --Representatives from the offices of three state attorneys general told attendees Oct. 1 at a Bellevue, Wash., convention of the International Association of Privacy Professionals that they are not reluctant to bring actions against companies involved in data breaches.

Moderator Divonne Smoyer, a partner at Dickstein Shapiro LLP in Washington, framed the discussion on state attorneys general at the IAPP Privacy Academy by saying that many people “think that the privacy action really takes place at the federal level and the international level and they more or less give short shrift to the states.”

People see compliance with state regulations and rules “as a matter of rote,” Smoyer said. “They don't really think that states have teeth or that they are going to enforce their laws.”

Almost all states have breach notification laws, and many have data privacy laws, Smoyer said. She added that state attorneys general often have the authority to enforce statutes like the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health and the Children's Online Privacy Protection Act.

In introducing Vermont Attorney General William Sorrell (D), she called him “one of the earliest AGs and still among the few AGs that have exercised their enforcement under HIPAA laws.” Sorrell said, “We're not at all reluctant to bring an enforcement action--(1) to serve as an example to other companies and (2) to have a relatively equal playing field.”

'We Pool Our Resources.’

Paula Selis, senior counsel at the Washington State Attorney General's Consumer Protection Division, said Washington participates in multistate data breach litigation. “We pool our resources” by sending out subpoenas to potential targets “and we share that information with each other,” she said. In circumstances where a company did not take enough care to protect the data, a lawsuit might be filed, sometimes simultaneously with a consent decree, she said.

“Washington participates in multistate data breach litigation.”

Paula Selis, Senior Counsel, Washington State Attorney General's Consumer Protection Division

Selis said her office's work compliments the Federal Trade Commission's work. “If the FTC is doing a good job, there may be no good reason for the states to enter into the fray,” she said. “If there are additional laws that we want to enforce--maybe our laws give us more leverage than the FTC's laws--then we might decide it's a case we want to get involved with.”

Although there are some “horror stories” about federal authorities getting involved with enforcement actions at the state level, state attorneys general “are in a pretty good spot” dealing cooperatively with both the FTC and the Consumer Financial Protection Bureau, Sorrell said.

Joanne McNabb, director of privacy education and policy at the Office of the California Attorney General, said that California is one of eight states that has a right to privacy memorialized in its constitution. She said the commitment of California Attorney General Kamala Harris (D) to protecting privacy is reflected by the recent creation of a privacy unit staffed with five attorneys.

Working Directly With Companies

McNabb said Harris brought together major mobile application platform companies to agree to strengthen privacy notifications and protections to bring them in line with California online privacy law . Because of Harris's discussions with those companies, McNabb said, a consumer “has the opportunity to see the privacy policy before downloading the app that sucks out all of the information.”

Vermont's Sorrell emphasized the importance of creating a collaborative working relationship with companies. He described how his office hired an expert with money from a “big national settlement” to attempt penetrations into corporate computer systems. “If we find vulnerability, we'll tell the company,” he said. “We also do some training with small business on data security issues.”

Washington's Selis added, “Our philosophy is we want to have a relationship before the data breach occurs.”


To contact the reporter on this story: Paul Shukovsky in Seattle at

To contact the editor responsible for this story: Katie W. Johnson at

Additional information on the International Association of Privacy Professionals is available at