February/March 2010 / Features
State AGs Increasingly Active in Data Breach Cases
After a dramatic increase in the number of data-breach incidents in recent years, state attorneys general have become active in data-breach investigations and enforcement actions. Following the lead of California, 45 states have enacted legislation addressing the issue. Details vary, but these laws all require notification of people whose personal information was compromised. Some also require the state AG’s office be notified.
People impacted by a breach typically include residents of more than one state, so it’s becoming more common for AGs from multiple states to cooperate on investigations. The FTC may also get involved. Besides leading to enforcement actions, investigations can draw attention of plaintiffs’ attorneys and possible lawsuits.
State regulations are now beginning to address wider information security issues, including data disposal and protection of social security numbers. Enforcement typically is by the AGs, but some states also provide for private rights of action. The authors consider laws passed by Massachusetts and Nevada as possible harbingers of a next generation of data security laws that could require formalized security procedures and practices, including encryption. The authors conclude that companies need comprehensive data security policies, and that they are well advised to limit the amount of personal information they collect in the first place.
