Press Release

Attorney General Josh Shapiro Takes Action to Preserve Pennsylvania Authority to Protect Consumers Against Data Breaches

March 19, 2018 | Topic: Rights

Coalition of 31 AGs Questions Federal Bill that Limits States’ Ability to Protect Consumers from Breaches & Identity Theft

HARRISBURG — Attorney General Josh Shapiro took action today to preserve Pennsylvania’s authority to enforce its own data breach notification law, opposing legislation in Congress that would preempt state data breach and data security laws.

Attorney General Shapiro and 30 other attorneys general wrote to Congress  expressing concerns with legislation that would preempt state data breach laws that require notice to consumers and state attorneys general of breaches when they occur.

“We’ve joined together in a bipartisan manner to say clearly to the federal government – do not take away our authority as states to protect our citizens,” Attorney General Shapiro said. “These data breaches will keep happening until we force change in corporate behavior and hold companies accountable. “This is exactly the wrong time for Congress to pass legislation that would lessen protections for consumers, who have the right to learn about breaches affecting their data as soon as they occur. I’m fighting against it.”

Pennsylvania’s attorney general is taking a leading role nationally on data breaches in the midst of a wave of incidents impacting millions of Americans and Pennsylvanians. Attorney General Shapiro is leading a national investigation of the massive Equifax data breach impacting 148 million Americans – including 5.4 million Pennsylvanians whose personal financial data was stolen last year.

Two weeks ago, Attorney General Shapiro filed his office’s first-ever lawsuit under Pennsylvania’s Breach of Personal Information Notification Act, against the ride-sharing company Uber, based on a data breach impacting 600,000 Uber drivers in the United States – including 13,500 drivers in Pennsylvania.

Instead of notifying customers and drivers of the data breach within a reasonable amount of time – as required under Pennsylvania law – Uber hid the incident for more than a year and actually paid the hackers responsible for the breach to delete the data and keep quiet, according to the lawsuit Attorney General Shapiro’s office filed in state court.

In a letter to Congress today, Attorney General Shapiro and his 28 colleagues argue that any federal law must not diminish the important role of states in addressing data breaches and identity theft, especially in states like Pennsylvania with their own laws that provide greater protections than federal proposals.

Last October, Attorney General Shapiro joined a bipartisan group of Pennsylvania lawmakers in supporting several bills designed to ensure companies act more promptly in notifying consumers after a data breach. That legislation is pending in the legislature.  Shapiro spoke out following the Equifax data breach, in which the company kept news of the massive intrusion to itself for several months.

The letter urges Congress to preserve existing protections in state law and ensure that states can continue to enforce breach notification requirements under their own laws and enact new laws to respond to new data security threats.

“States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy,” the attorneys general letter says. “With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.”

The attorneys general point out a number of concerns with the proposed Data Acquisition and Technology Accountability and Security Act, including:

Reduced transparency to consumers. The bill allows companies suffering data breaches to determine whether to notify consumers of a breach based on their judgment. The attorneys general argue that when a data breach occurs, consumers should be informed as soon as possible.

Narrow focus on large-scale data breaches. The bill fails to acknowledge that most breaches are either local or regional in nature. The bill only addresses large, national breaches affecting 5,000 or more consumers and prevents state attorneys general from addressing breaches that are smaller but still cause great harm to consumers.

Attorney General Shapiro signed the joint letter to Congress with Illinois Attorney General Lisa Madigan and the attorneys general of Delaware, Maryland, Hawaii (Office of Consumer Protection), Washington, Iowa, Maine, Oregon, Mississippi, Minnesota, Kentucky, California, District of Columbia, Tennessee, New Jersey, Nebraska, Louisiana, Montana, North Carolina, Florida, South Carolina, Rhode Island, North Dakota, Colorado, Alabama, Vermont, Massachusetts, Oklahoma, New York, Connecticut and New Mexico.

# # #