BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

State Attorneys General Are Crucial Force In Enforcement of Data Breach Statutes

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 8 Oct 2013 00:30:29 -0600
http://www.bna.com/state-attorneys-general-n17179877665/

Oct. 1 --Representatives from the offices of three state attorneys general
told attendees Oct. 1 at a Bellevue, Wash., convention of the International
Association of Privacy Professionals that they are not reluctant to bring
actions against companies involved in data breaches.

Moderator Divonne Smoyer, a partner at Dickstein Shapiro LLP in Washington,
framed the discussion on state attorneys general at the IAPP Privacy
Academy by saying that many people “think that the privacy action really
takes place at the federal level and the international level and they more
or less give short shrift to the states.”

People see compliance with state regulations and rules “as a matter of
rote,” Smoyer said. “They don't really think that states have teeth or that
they are going to enforce their laws.”

Almost all states have breach notification laws, and many have data privacy
laws, Smoyer said. She added that state attorneys general often have the
authority to enforce statutes like the Health Insurance Portability and
Accountability Act, the Health Information Technology for Economic and
Clinical Health and the Children's Online Privacy Protection Act.

In introducing Vermont Attorney General William Sorrell (D), she called him
“one of the earliest AGs and still among the few AGs that have exercised
their enforcement under HIPAA laws.” Sorrell said, “We're not at all
reluctant to bring an enforcement action--(1) to serve as an example to
other companies and (2) to have a relatively equal playing field.”

'We Pool Our Resources.’

Paula Selis, senior counsel at the Washington State Attorney General's
Consumer Protection Division, said Washington participates in multistate
data breach litigation. “We pool our resources” by sending out subpoenas to
potential targets “and we share that information with each other,” she
said. In circumstances where a company did not take enough care to protect
the data, a lawsuit might be filed, sometimes simultaneously with a consent
decree, she said.

“Washington participates in multistate data breach litigation.”

Paula Selis, Senior Counsel, Washington State Attorney General's Consumer
Protection Division

Selis said her office's work compliments the Federal Trade Commission's
work. “If the FTC is doing a good job, there may be no good reason for the
states to enter into the fray,” she said. “If there are additional laws
that we want to enforce--maybe our laws give us more leverage than the
FTC's laws--then we might decide it's a case we want to get involved with.”

Although there are some “horror stories” about federal authorities getting
involved with enforcement actions at the state level, state attorneys
general “are in a pretty good spot” dealing cooperatively with both the FTC
and the Consumer Financial Protection Bureau, Sorrell said.

Joanne McNabb, director of privacy education and policy at the Office of
the California Attorney General, said that California is one of eight
states that has a right to privacy memorialized in its constitution. She
said the commitment of California Attorney General Kamala Harris (D) to
protecting privacy is reflected by the recent creation of a privacy unit
staffed with five attorneys.

Working Directly With Companies

McNabb said Harris brought together major mobile application platform
companies to agree to strengthen privacy notifications and protections to
bring them in line with California online privacy law . Because of Harris's
discussions with those companies, McNabb said, a consumer “has the
opportunity to see the privacy policy before downloading the app that sucks
out all of the information.”

Vermont's Sorrell emphasized the importance of creating a collaborative
working relationship with companies. He described how his office hired an
expert with money from a “big national settlement” to attempt penetrations
into corporate computer systems. “If we find vulnerability, we'll tell the
company,” he said. “We also do some training with small business on data
security issues.”

Washington's Selis added, “Our philosophy is we want to have a relationship
before the data breach occurs.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: