Indiana Attorney General Greg Zoeller today joined a multistate letter to Congress emphasizing the importance of maintaining states’ authority to enforce data breach and data security laws, and their ability to address future data security risks.
Citing recent efforts in Congress to pass a national law on data breach notification and data security, Zoeller, joined by 46 other state and territorial attorneys general, cautions against federal preemption of state data breach and security laws and argues that any federal law must not diminish the important role states already play in protecting consumers from data breaches and identity theft.
“States are on the front lines responding to increasing reports of data breaches and identity theft; crimes which put many Indiana residents at risk for serious financial hardship,†Zoeller said. “While the federal government certainly needs to pass stronger data security laws, it is vital that federal laws do not adversely affect state efforts to help victims of these crimes and hold accountable violators of state laws.â€
The letter from the group of AGs to Congress points out a number of concerns with federal preemption of state data breach and security laws, including:
- Data breaches and identity theft continue to cause significant harm to consumers. Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers – primarily financial account information, Social Security numbers or medical information. Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100 on average.
- Data security vulnerabilities are too common. States frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers’ personal information at unnecessary risk. Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.
- States play an important role responding to data breaches and identity theft.  The states have been leaders in helping consumers deal with the repercussions of a data breach, providing important assistance to consumers who have been impacted by data breaches or who suffer identity theft or fraud as a result, and investigating the causes of data breaches to determine whether the data collector experiencing the breach had reasonable data security in place. Forty-seven states now have laws requiring data collectors to notify consumers when their personal information has been compromised by a data breach, and a number of states have also passed laws requiring companies to adopt reasonable data security practices.
The letter urges Congress to preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.
The Indiana Attorney General’s Office can pursue enforcement actions for violations of Indiana’s Disclosure of Security Breach law. Under this law, businesses and organizations with Indiana customers are required to inform customers and the AG’s Office about security breaches that have placed personal information in jeopardy. The AG’s Office can seek up to $150,000 for data breaches that have not been properly disclosed to Indiana customers.
In 2014, nearly 400 data breaches were reported to the Indiana Attorney General’s Office. In 2015 thus far, 269 data breaches have been reported. Additionally, the AG’s Office has received 728 complaints about identity theft this year; more than 1,300 complaints were received last year.
In 2005, 44 state attorneys general called on Congress to pass a national law on breach notification that did not preempt state enforcement or state law.
The AGs’ recent letter comes on the heels of a massive data breach at the U.S. Office of Personnel Management, which may have affected 18 million current, former and prospective federal employees — including AG Zoeller himself. Zoeller is a former White House staff member who served in the office of former U.S. Vice President Dan Quayle in the 1980s.
Zoeller said this data breach underscores the urgency of passing tighter security laws at the federal and state levels.
“We have become numb to the increasingly common notice of data breaches that affect Americans,†Zoeller said. “But this breach of the security clearances for those in highly sensitive positions in our federal government should be a wake-up call to the inadequacies of our federal government. It’s time the American people demand more of those in Washington responsible for our national security.”
As Indiana AG, Zoeller has advocated for passage of state laws to help protect consumers from data breaches and identity theft and to help consumers repair their credit after their identities were stolen. The Attorney General’s Office operates the state’s Identity Theft Unit and encourages all Hoosiers to protect their credit and guard against identity theft by taking the following steps:
- Sign up for a free credit freeze to prevent criminals from opening up new lines of credit in your name.
- Review your credit report to check for inaccuracies at least yearly. A free credit report can be requested once a year through www.AnnualCreditReport.com.
- Closely monitor bank statements for any unusual activity.