North Carolina Department of Justice
North Carolina Department of Justice
North Carolina Department of Justice
Submit this request

Attorney General Josh Stein Urges Congress to Preserve State’s Authority on Data Breaches

Release date: 3/20/2018

(RALEIGH) – Attorney General Josh Stein today urged Congress not to preempt state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.
 
In the letter, a bipartisan coalition of attorneys general argue that any federal law must not diminish the important role of states in addressing data breaches and identity theft, especially in North Carolina, where our laws provide greater protections than federal counterparts. In addition, this would threaten the legislation Attorney General Stein and Rep. Jason Saine are currently crafting to further protect North Carolinians in the wake of massive breaches at Equifax and Uber.
 
“Technology makes our lives easier, more convenient, and helps to foster relationships with loved ones far away, but it can also pose dangers,” said Attorney General Josh Stein. “As we increasingly live our lives online, there are more opportunities for the data we share to be stolen or mishandled. In fact, last year, there were more than 1,000 data breaches reported to my office. North Carolina is best suited to make decisions about how to protect North Carolinians – as is the case with the legislation Rep. Jason Saine and I are working to pass. Congress must not deprive the state of North Carolina the right to respond to these issues quickly and efficiently on behalf of our people.”
 
The letter urges Congress to preserve existing protections in state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats.
 
In part, the letter states, “States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.” 
 
The attorneys general point out a number of concerns with the proposed Data Acquisition and Technology Accountability and Security Act, including:
 
Reduced transparency to consumers: The bill allows entities suffering data breaches to determine whether to notify consumers of a breach based on their own judgment. The attorneys general argue that when a data breach occurs, impacted consumers should be informed as soon as possible.
 
Narrow focus on large-scale data breaches: The bill fails to acknowledge that most breaches are either local or regional in nature. The bill only addresses large, national breaches affecting 5,000 or more consumers and prevents state attorneys general from learning of or addressing breaches that are smaller but still cause great harm to consumers.  
 
Attorney General Josh Stein signed this letter along with officials from Illinois, Alabama, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Jersey, New York, New Mexico, North Dakota, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Washington, Wisconsin.
 
A copy of the letter can be found here.
 
Contact:
Laura Brewer (919) 716-6484

###