|
|
Attorney General Mike DeWine
AG’s Urge
Congress to Preserve State Authority over Data Breach Laws
Multistate Letter Warns Against Federal Preemption of State Data Breach
Laws
(COLUMBUS, Ohio)—Ohio Attorney General Mike DeWine today joined 46
other attorneys general in asking Congress to maintain states’
authority to enforce data breach and data security laws and preserve
their ability to enact laws to address future data security risks.
Citing recent efforts in Congress to pass a national law on data breach
notification and data security, Attorney General DeWine and the other
attorneys general sent a letter to Congress cautioning against federal
preemption of state data breach and security laws and arguing that any
federal law must not diminish the important role states already play in
protecting consumers from data breaches and identity theft.
In 2012, Attorney General DeWine created a consumer Identity Theft Unit
to help victims rectify the effects of identity theft. Since its
creation, the unit has received more than 3,300 complaints and helped
to adjust or clear approximately $900,000 from consumers' accounts.
While a data breach does not always lead to identity theft, it can put
individuals at greater risk.
In their letter to Congress, DeWine and the attorneys general write:
“Our constituents are continually asking for greater protection. If
states are limited by federal legislation, we will be unable to respond
to their concerns.”
The letter points out a number of concerns with federal preemption of
state data breach and security laws, including:
Data breaches and identity theft continue to cause
significant harm to consumers. Since 2005, nearly 5,000 data breaches
have compromised more than 815 million records containing sensitive
information about consumers — primarily financial account information,
Social Security numbers, or medical information. Full-blown identity
theft involving the use of a Social Security number can cost a consumer
$5,100 on average.
Data security vulnerabilities are too common. Some
data collectors fail to reasonably protect consumers' sensitive data,
putting consumers’ personal information at risk, and some data breaches
could have been prevented if the data collector had taken reasonable
steps to secure consumers’ data.
States play an important role responding to data
breaches and identity theft. The states have been at the frontlines in
helping consumers deal with the repercussions of a data breach,
providing assistance to consumers and investigating the causes of data
breaches. Forty-seven states now have laws requiring data collectors to
notify consumers when their personal information has been compromised
by a data breach.
The attorneys general urge Congress to preserve existing breach
notification requirements under state law, to allow states to enact new
laws to respond to new data security threats, and to not hinder states
that are helping their residents by preempting state data breach and
security laws.
Today’s letter to Congress was co-sponsored by Arkansas, Connecticut,
Illinois, Indiana, Maryland, Massachusetts, and Nebraska, and joined by
the following states and territories: Alabama, Alaska, Arizona,
California, Delaware, District of Columbia, Florida, Georgia, Hawaii,
Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota,
Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New
Mexico, New York, North Carolina, North Dakota, North Mariana Islands,
Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota,
Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.
A copy of the letter is available on the Ohio Attorney General’s
website.
Consumers who need help addressing a data breach, identity theft, or
other consumer problem should contact the Ohio Attorney General's
Office at www.OhioAttorneyGeneral.gov or 800-282-0515.
|
|
|
|