CHARLESTON – West Virginia Attorney General Patrick Morrisey announced he joined a bipartisan, multi-state effort to urge federal lawmakers against preempting state laws designed to protect consumers affected by data breaches and identity theft.
Morrisey announced he joined the national coalition to urge congress against preempting the state laws on data breach and security laws on July 7.
Morrisey joined 46 other attorneys general in a letter to U.S. Congress emphasizing the importance of maintaining states' authority to enforce data breach and data security laws and their ability to enact laws to address future data security risks.
The attorneys general cautioned lawmakers against federal preemption of state data breach and security law, citing recent Congressional efforts to pass a national law on data breach notification and data security.
The attorneys general letter argues that any federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft, especially instates whose laws provide greater protections than federal counterparts.
"Protecting consumers is a top priority for my office, and I want to make sure the federal government doesn't stand in the way of that," Morrisey said in a press release. "Data breaches and identity theft pose significant and increasing threats to consumers, and while these federal proposals may be well-intentioned, they stand to hinder our local efforts to combat and warn consumers of these threats."
The letter points out concerns with federal preemption of state data breach and security laws.
Data breaches and identity theft continue to cause significant harm to consumers, according to the letter.
Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers – primarily financial account information, Social Security numbers or medical information. Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100 on average.
The letter also points out that data security vulnerabilities are too common and states frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers’ personal information at unnecessary risk.
Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data, according to the letter.
States play an important role responding to data breaches and identity theft, the letter states.
The states have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing important assistance to consumers who have been affected by data breaches or who suffer identity theft or fraud as a result, and investigating the causes of data breaches to determine whether the data collector experiencing the breach had reasonable data security in place.
Forty-seven states, including West Virginia, now have laws requiring data collectors to notify consumers when their personal information has been compromised by a data breach, and a number of states have also passed laws requiring companies to adopt reasonable data security practices.
The letter urges Congress to preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.
"Our state has taken a proactive approach to require companies to alert West Virginia residents whenever their personal data has been compromised," Morrisey said. "Our laws also give my office the ability to pursue civil actions against companies that fail to adequately respond to these breaches. I would hate to see these reasonable protections usurped by new, overly broad federal legislation."
In 2005, 44 state attorneys general wrote a similar letter to Congress calling for a national law on breach notification that did not pre-empt state enforcement or state law.
This week's letter was co-sponsored by attorneys general from Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska. It was also joined by Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington and West Virginia.