MADIGAN URGES CONGRESS TO PRESERVE STATE’S AUTHORITY TO ENFORCE DATA BREACH & DATA SECURITY LAWS
Madigan Leads Coalition Opposing Federal Preemption of States’ Ability to Legislate & Enforce Laws that Protect Consumers from Data Breaches & Identity Theft
Chicago — Attorney General Lisa Madigan today led a coalition of 32 attorneys general urging Congress not to preempt state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.
In their letter, Madigan and the other attorneys general point to the massive data breach at credit reporting agency Equifax that impacted nearly 148 million Americans and argue that any federal law must not diminish the important role of states in addressing data breaches and identity theft, especially in states like Illinois that have enacted laws to provide greater protections than federal provisions.
“States are the first line of defense when people are impacted by data breaches of all sizes,” Madigan said. “Eliminating the state’s power to help consumers minimize the threat of identity theft will only leave consumers vulnerable and open to more harm.”
The letter urges Congress to preserve existing protections in state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats.
In part, the letter states:
“States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.”
Madigan and the attorneys general point out a number of serious concerns with the proposed Data Acquisition and Technology Accountability and Security Act, including:
Reduced transparency to consumers: The bill allows entities suffering data breaches to determine whether to notify consumers of a breach based on their own judgment. Madigan and the attorneys general argue that when a data breach occurs, impacted consumers should be informed as soon as possible. Allowing a breached company to determine whether a consumer already has been a victim of identity theft, fraud, or economic loss will result in fewer notifications to consumers who are at risk of harm.
Delayed notification to consumers affected by data breaches: Even if a breached company decides to give notice of the breach to affected consumers, the bill allows them to notify the consumer after the harm already has occurred. Madigan and the coalition argue that consumers should know right away if their data has been compromised so they can take pro-active steps to protect themselves from identity theft before it happens.
Narrow focus on large-scale data breaches: The bill fails to acknowledge that most breaches are either local or regional in nature. The bill only addresses large, national breaches affecting 5,000 or more consumers and prevents state attorneys general from learning of or addressing breaches that are smaller but still cause great harm to consumers.
Following the massive Equifax data breach that impacted more than 5.4 million Illinois residents, Madigan initiated legislation to eliminate credit freeze fees in Illinois. The Illinois General Assembly passed the bill and has sent it to the governor.
To help Illinois residents with data breaches and other privacy issues, Madigan’s office has an Identity Theft Unit and Hotline (1-866-999-5630), run by a team of experts who provide one-on-one assistance to victims of identity theft and data breaches. Since the creation of the hotline, the Attorney General’s office has helped over 44,000 Illinois residents remove more than $29 million worth of unauthorized charges on their accounts.
Joining Madigan in sending the letter were the attorneys general of Alabama, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Washington and Wisconsin.
A copy of the letter can be found here.