It would be greatly detrimental to have federal regulations that preempt state data security and state data breach laws, according to a group of 32 attorneys general, led by Illinois Attorney General Lisa Madigan.
The letter explains concerns that have arisen with the proposed Data Acquisition and Technology Accountability and Security Act, a draft bill released on February 16, 2018. The proposed legislation would preempt necessary state laws that require consumers and attorneys general be notified about data breaches, the group explained.
Additionally, the bill “appears to place Equifax and other consumer reporting agencies and financial institutions out of states’ enforcement reach,” the letter stated.
“We know first-hand how alarmed and frustrated consumers are when they learn a company they trusted to protect their sensitive personal data has suffered a breach,” the attorneys general explained. “We regularly hear from our consumers after a data breach, including scores of concerned consumers who reached out to our offices for help after the recent Equifax data breach that put over 145 million Americans at a life-time risk of identity theft.”
State data breach notification requirements have helped to increase transparency about data breaches that have taken place in the last 10 years, the letter maintained. Attorneys general have taken the information about where organizations have failed in their security measures to create stronger requirements for companies.
“We urge you to avoid limiting our ability to learn about data breaches and to require companies to improve their data security measures going forward,” the attorneys general wrote.
The bill would allow companies to determine whether to notify consumers of a breach based on their own judgment. This reduced transparency will likely result in fewer data breach notifications being sent out to consumers who may be at the risk of harm, the group explained.