Commonwealth of Virginia
Office of the Attorney General
900 East Main Street
For media inquiries only, contact:
Michael Kelly, Director of Communications
HERRING URGES CONGRESS TO PRESERVE AUTHORITY TO PROTECT CONSUMERS AND THEIR PERSONAL INFORMATION
~ Joins multistate letter opposing federal preemption of States' ability to legislate and enforce laws that protect consumers from data breaches and identity theft ~
RICHMOND (July 7, 2015) -Attorney General Mark R. Herring today joined a bipartisan effort to ensure that Virginia consumers and their personal information are afforded the most protection possible in any future federal legislation dealing with data breach notification or data security. In a letter to Congressional leadership, Herring and 46 other attorneys general caution against federal preemption of state data breach and security law and argue that any federal law must not diminish the important role states and their attorneys general already play in protecting consumers from data breaches and identity theft.
During his time in office, Attorney General Herring's Computer Crime Section has already received 490 notifications of data breaches, ranging from small, misplaced hard drives with the personal information of just a few Virginians, to large-scale cyber-attacks like those against Target and Anthem which affected millions of Virginians. Three notifications were received today alone.
"State attorneys general play a critical role in protecting consumers in an age where more and more of our financial and personal data is held by third parties," said Attorney General Herring. "These incidents are on the rise, and rather than disbanding the coalition of enforcers currently working on this growing problem, Congress should recognize what an asset we can be in protecting consumers. Preemption of the authority of states and their attorneys general to pass and enforce laws on data security would be a big step in the wrong direction."
Virginia law requires any individual or entity responsible for handling personal identifying information of Virginians to notify both the Attorney General and affected residents when they believe that information may have been accessed or acquired by an unauthorized party. Those responsible for the data must provide the potentially affected resident with a notification that includes:
- A description of the incident
- Type of information that was accessed or acquired
- The steps the responsible party took to prevent further unauthorized access
- Contact information for additional questions
- Advice for protecting oneself from potential damage caused by the breach
Notifications to the Office of Attorney General must include:
- Date of the incident and how the breach was discovered
- Cause of the breach
- Number of Virginia residents affected
- Steps taken to remedy the breach
- A sample of the notification that will go to affected consumers, including any possible offers of free credit monitoring
- A cover letter on official letterhead from the party responsible for the information
The attorneys general's letter urges Congress to preserve these existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws. The letter points out a number of concerns with federal preemption of state data breach and security laws, including:
Data breaches and identity theft continue to cause significant harm to consumers. Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers - primarily financial account information, Social Security numbers or medical information. Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100 on average.
Data security vulnerabilities are too common. States frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers' personal information at unnecessary risk. Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers' data.
States play an important role responding to data breaches and identity theft. The States have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing important assistance to consumers who have been impacted by data breaches or who suffer identity theft or fraud as a result, and investigating the causes of data breaches to determine whether the data collector experiencing the breach had reasonable data security in place. Forty-seven states now have laws requiring data collectors to notify consumers when their personal information has been compromised by a data breach, and a number of states have also passed laws requiring companies to adopt reasonable data security practices.
In 2005, 44 state attorneys general wrote a similar letter to Congress calling for a national law on breach notification that did not preempt state enforcement or state law.
Today's letter, co-sponsored by Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.
# # #