Editors' Note: This is the fifth in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Our previous entry discussed the energy, Brexit, and health privacy. Next up: trends in GDPR enforcement.
Out of all governmental agencies, state attorneys general are likely to have the greatest impact on privacy enforcement in 2020 for the average business. Over the past few years, state AGs have taken an increasingly active role in privacy and data security matters, using their broad consumer protection authority to enforce rapidly evolving state laws and investigate data security lapses. Even more recently, state AGs have begun to step out of their typical enforcement roles to pursue policy and legislative initiatives.
Despite signs of momentum, Congress is unlikely to pass any major new national cybersecurity legislation this election year. Companies are thus likely looking at another year where privacy and data security enforcement remains largely in the hands of state AGs. Here are three trends to watch out for in 2020.
More AG notification laws.
In order to wield their consumer protection authority, state AGs need to keep abreast of data breaches. It's no surprise that in 2019 we saw several states pass or expand legislation requiring that state AGs be notified after a cybersecurity incident (including Massachusetts, New York, Arkansas, Illinois, Oregon, Texas, and Washington). We predict this trend will continue in 2020.
Currently, upwards of twenty-five states require1 some form of AG notification after a breach. Some notification statutes are triggered by the number of residents affected (as few as 250 residents in South Dakota, and as many as 1,000 in Arizona), whereas others require disclosure no matter the size of the breach. The required contents of these notification can vary as well. For instance, in 2019 Massachusetts expanded its AG notification law to require that companies disclose:
- A detailed description of the nature and circumstances of the breach;
- The number of Massachusetts residents affected;
- The person responsible for the incident, if known;
- The type of personal information
compromised, including, but not limited to:
- Social Security number
- Driver's license number
- Financial account number
- Credit or debit card number
- or other data;
- Whether the company maintains a written information security program;
- All the steps the company has taken or plans to take relating to the incident, including updating the written information security program;
- Whether a report has been made to law enforcement and whether law enforcement is investigating the incident; and
- Where applicable, certification of credit monitoring services pursuant to Chapter 93H, section 3A.
AG notifications add another layer of complexity to your breach response. If you experience a breach, you will need to track the relevant deadlines, and draft and send a notification that meets the statutory requirements applicable to your state. Depending on the state, the AG may also have some law-enforcement responsibility related to data breaches, meaning you could be looking at an investigation if your breach is severe.
Because state laws in this area are constantly changing, it is important to stay current on breach notification laws in your state(s).
Ramping up the pressure on federal regulators.
In 2019, AGs in several states ramped up the pressure on federal regulators to police big tech companies like Facebook, Apple, and Google. Over the last few years, there has been a growing feeling in many quarters that the federal government has adopted a laissez faire (and overly business-friendly) attitude toward consumer data privacy. Increasingly, state AGs and other state regulators are picking up the perceived slack at the federal level.
For example, in June, nine state AGs and the District of Columbia sued to block the T-Mobile/Sprint merger, a move that later gained support from FTC and DOJ. In July, thirty-nine state AGs signed onto a letter requesting that the FTC take several steps to better protect consumer privacy. More recently, on September 6, New York Attorney General Letitia James (D) announced that a bipartisan coalition that would be investigating whether Facebook "may have endangered consumer data, reduced the quality of consumers' choices or increased the price of advertising." And on September 10, Texas Attorney General Ken Paxton (R) announced that a bipartisan coalition of 50 attorneys general investigating Google's alleged market power in search and digital advertising as well as potential abuses of consumer privacy.
Pressure from state AGs throughout 2019 likely contributed to the FTC's record-breaking $5 billion settlement with Facebook, its $175 million settlement with Google's YouTube (where the FTC was joined by New York Attorney General's Office), and DOJ's recent announcement that it was investigating all four big tech giants, Facebook, Google, Apple, and Amazon. While Congress is unlikely to make any big legislative moves during an election year, we expect that won't stop state AGs from continuing to turn up the pressure in 2020.
Increased power to state AGs.
Finally, watch out for state laws that increase AGs' roles in data privacy and security enforcement. The California Consumer Privacy Act (CCPA) is a case in point. The law, which became effective January 1, 2020, authorizes the California attorney general's office to draft implementing regulations and bring enforcement actions. In October 2019, California AG Xavier Becerra released the long-awaited draft regulations. Enforcement will begin six months after the regulations are finalized or on July 1, 2020, whichever comes first. We expect that other states will follow California's example and give their AGs greater privacy watchdog power.
Another such example is the federal Mind Your Business Act, which was introduced by Sen. Ron Wyden (D-OR) in October 2019. The Act allows state AGs to bring a civil action on behalf of residents if they have reason to believe residents' interests "[have] been or [are] being threatened or adversely affected" by a practice that violates the FTC regulations. Although the Act is unlikely to become law, it is indicative of the trend toward giving AGs greater enforcement tools
1. Including Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New York, North Carolina, North Dakota, Oregon, Rhode Island, Texas, Vermont, Virginia, and Washington.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.