Attorney General Tim Fox Urges Congress to Preserve States’ Authority to Enforce Data Breach & Data Security Laws

Attorney General Tim Fox Urges Congress to Preserve States’ Authority to Enforce Data Breach & Data Security Laws

HELENA – Montana Attorney General Tim Fox joined a coalition of 32 state attorneys general in a letter to Congress Monday, urging lawmakers not to preempt state data breach and data security laws. The coalition specifically focused on laws requiring notice to consumers and state attorneys general of data breaches.

In their letter, the attorneys general argue that any federal law must not diminish the important role of states in addressing data breaches and identity theft, especially in states like Montana, which have laws providing greater protections than federal counterparts.

“Protecting consumers from the harm of a data breach becomes more important every day,” said Attorney General Tim Fox. “State consumer protection offices are on the front lines of notifying consumers when their information may be compromised, as well as taking action against companies that don’t adequately safeguard customer data. The states’ vital role in this arena must be protected.”

The letter urges Congress to preserve existing protections in state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats.

In part, the letter states:

“States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.”

The attorneys general point out several concerns with the proposed Data Acquisition and Technology Accountability and Security Act, including:

Reduced transparency to consumers: The bill allows entities suffering data breaches to determine whether to notify consumers of a breach based on their own judgment. The attorneys general argue that when a data breach occurs, impacted consumers should be informed as soon as possible.

Narrow focus on large-scale data breaches: The bill fails to acknowledge that most breaches are either local or regional in nature. The bill only addresses large, national breaches affecting 5,000 or more consumers and prevents state attorneys general from learning of or addressing breaches that are smaller but still cause great harm to consumers.

Click here to view a copy of the letter.