Multistate letter warns against federal preemption of state data breach laws


COLUMBUS, Ohio – Ohio Attorney General Mike DeWine joined 46 other attorneys general Tuesday in asking Congress to maintain states’ authority to enforce data breach and data security laws and preserve their ability to enact laws to address future data security risks.

Citing recent efforts in Congress to pass a national law on data breach notification and data security, Attorney General DeWine and the other attorneys general sent a letter to Congress cautioning against federal preemption of state data breach and security laws and arguing that any federal law must not diminish the important role states already play in protecting consumers from data breaches and identity theft.

In 2012, Attorney General DeWine created a consumer Identity Theft Unit to help victims rectify the effects of identity theft. Since its creation, the unit has received more than 3,300 complaints and helped to adjust or clear approximately $900,000 from consumers’ accounts. While a data breach does not always lead to identity theft, it can put individuals at greater risk.

In their letter to Congress, DeWine and the attorneys general write: “Our constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns.”

The letter points out a number of concerns with federal preemption of state data breach and security laws, including:

Data breaches and identity theft continue to cause significant harm to consumers. Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers — primarily financial account information, Social Security numbers, or medical information. Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100 on average.

Data security vulnerabilities are too common. Some data collectors fail to reasonably protect consumers’ sensitive data, putting consumers’ personal information at risk, and some data breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.

States play an important role responding to data breaches and identity theft. The states have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing assistance to consumers and investigating the causes of data breaches. Forty-seven states now have laws requiring data collectors to notify consumers when their personal information has been compromised by a data breach.

The attorneys general urge Congress to preserve existing breach notification requirements under state law, to allow states to enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.

Today’s letter to Congress was co-sponsored by Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts, and Nebraska, and joined by the following states and territories: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, North Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.

A copy of the letter is available on the Ohio Attorney General’s website.