AG Hood Warns Congress Against Changing Data Breach Notifications
Attorney General Jim Hood sent a letter to Congress Monday along with 31 other attorneys general voicing opposition to parts of a pending bill that would decrease and delay when a breached entity should notify consumers of that breach and that their personal information has been compromised.
The Data Acquisition and Technology Accountability and Security Act preempts all state data breach and data security laws, which includes laws that require notice to consumers and state attorneys general of data breaches. If passed, the bill would allow breached entities to use their own judgement of whether there is “a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer…” The current language would require notice only after the companies determined that a consumer has already been a victim of a related crime and would remove any opportunity for the consumer to take pro-active steps to protect themselves from identity theft before it happens, not after the fact.
In addition, the proposed Act completely exempts insurance companies from reporting breaches, despite previous data breaches at Nationwide, Anthem, and Premera Insurance Companies.
“This bill puts consumers further in danger of becoming a victim of identity theft by not making them immediately aware that their personal information was compromised,” said General Hood. “It’s my job as attorney general to protect Mississippi’s consumers, and it’s the job of those in Congress to pass laws that protect our country’s citizens, not its corporations.”
Recently, more than 1.3 million Mississippians were affected by the recent Equifax data breach. It’s been discovered that Equifax knew the breach occurred but waited more than a month to alert those affected. By passing the data breach bill, Congress is clearing the way for such failures to continue.
“Over the past decade, additional transparency about data breaches has been achieved due to state data breach notification requirements,” stated the attorneys general in the letter to Congressional leaders. “With this transparency, our Offices have been able to learn about breaches and investigate the reasons for them. These investigations have revealed that some entities have failed to take sufficient data security precautions. Understanding where data security failures occur has allowed us to require companies to implement data security fixes. For that reason, we urge you to avoid limiting our ability to learn about data breaches and to require companies to improve their data security measures going forward.”
While Mississippi does not require entities that have been breached to report that to the attorney general’s office, it is recommended that companies voluntarily take that proactive step.
In addition to Mississippi, the following states signed on to the letter: Alabama, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Montana, Nebraska, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Washington, and Wisconsin.