Letter cautions Congress against preempting states’ ability to legislate and enforce data breach and identity theft laws that protect consumers
(DES MOINES, Iowa) Attorney General Tom Miller today called on Congress to preserve Iowa’s current and future authority to enforce state data breach and data security laws.
In a bipartisan effort to ensure that any future federal data breach notification or data security law is effective and provides consumers with the best protection, Miller joined 46 other state attorneys general in a letter to Congress emphasizing the importance of maintaining states’ roles in laws that address data security protection, breach notification and enforcement matters.
“While I think it’s good that Congress is looking at addressing data breaches, I don’t think it should usurp Iowa law or similar laws in other states,” Miller said. “State legislatures put these laws in place to protect their states’ consumers.”
Citing recent congressional efforts to pass a national data breach notification and data security law, Miller and the attorneys general caution Congress about preempting similar state laws. “Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft,” the states’ chief legal officers wrote.
Iowa law requires that anyone who discovers a personal data breach affecting more than 500 Iowa residents to notify affected consumers “in the most expeditious manner possible and without unreasonable delay,” and also notify the Attorney General’s Consumer Protection Division.
The letter urges Congress to preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.
The letter points out a number of concerns with federal preemption of state data breach and security laws, including:
- Data breaches and identity theft continue to cause significant harm to consumers. Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers – primarily financial account information, Social Security numbers or medical information. Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100, on average.
- Data security vulnerabilities are too common. States frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers’ personal information at unnecessary risk. Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.
- States play an important role responding to data breaches and identity theft. States have been at the forefront of helping their consumers deal with the fallout from a data breach, providing important assistance to consumers who have been impacted by data breaches or who suffer identity theft or fraud as a result, and investigating the causes of data breaches to determine whether the data collector experiencing the breach had reasonable data security in place. Iowa and 46 other states require data collectors to notify consumers when their personal information has been compromised by a data breach, and a number of states have also passed laws requiring companies to adopt reasonable data security practices.
“States are the front line in helping consumers deal with the repercussions of a data breach,” the letter said.