NC Attorney General Urges Congress to Preserve State’s Authority on Data Breaches

A coalition of attorneys general argue that any federal law must not diminish the important role of states in addressing data breaches and ID theft

NC Attorney General Urges Congress to Preserve State’s Authority on Data Breaches
Image: Pexels
March 20, 2018

North Carolina Attorney General Josh Stein is urging Congress not to preempt state data breach and data security laws—including laws that require notice to consumers and state attorneys general of data breaches—with the proposed Data Acquisition and Technology Accountability and Security Act.

Keeping State's Authority in Place

In the letter to Congress sent this week, a bipartisan coalition of state attorneys general argue that any federal law must not diminish the important role of states in addressing data breaches and identity theft, especially in North Carolina, where our laws provide greater protections than federal counterparts.

Attorney General Stein and Rep. Jason Saine are currently crafting legislation to further protect North Carolinians in the wake of massive breaches at Equifax and Uber.

"Technology makes our lives easier, more convenient, and helps to foster relationships with loved ones far away, but it can also pose dangers," said Attorney General Stein. "As we increasingly live our lives online, there are more opportunities for the data we share to be stolen or mishandled. In fact, last year, there were more than 1,000 data breaches reported to my office. North Carolina is best suited to make decisions about how to protect North Carolinians – as is the case with the legislation Rep. Jason Saine and I are working to pass. Congress must not deprive the state of North Carolina the right to respond to these issues quickly and efficiently on behalf of our people."

Concerns with the Data Acquisition and Technology Accountability and Security Act

The attorneys general point out a number of concerns with what the Data Acquisition and Technology Accountability and Security Act would do, including:

Reduced transparency to consumers: The bill allows entities suffering data breaches to determine whether to notify consumers of a breach based on their own judgment. The attorneys general argue that when a data breach occurs, impacted consumers should be informed as soon as possible.

Narrow focus on large-scale data breaches: The bill fails to acknowledge that most breaches are either local or regional in nature. The bill only addresses large, national breaches affecting 5,000 or more consumers and prevents state attorneys general from learning of or addressing breaches that are smaller but still cause great harm to consumers.

Preserve Existing Protections in State Law

The letter urges Congress to preserve existing protections in state law, ensuring that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats.

Attorney General Josh Stein signed the letter to Congress along with officials from the states of Illinois, Alabama, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Jersey, New York, New Mexico, North Dakota, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Washington, and Wisconsin.