For Immediate Release - March 18, 2015

AG Healey Raises Concerns About Federal Bill That Would Weaken Data Breach Protections for Massachusetts Residents

AG’s Office Provides Testimony on Capitol Hill about Proposed Legislation Seeking to Establish Inadequate National Standard for Data Breach Notifications

BOSTON – In an effort to protect some of the most robust data breach notification and security laws in the nation, Attorney General Maura Healey’s Office testified today before Congress, expressing concerns over proposed federal legislation that it would significantly weaken protections for Massachusetts consumers.

The bill, titled the Data Security and Breach Notification Act of 2015, seeks to establish nationwide standards concerning data security and data breach notification obligations that are far weaker than what Massachusetts law currently requires.

“This bill will drastically undercut our data security regulations that provide meaningful consumer protections for Massachusetts residents,” AG Healey said. “We are concerned that this legislation will scale back our state’s essential safeguards against cybercrime, identity theft and fraud that are already in place.”

As laid out in testimony from Assistant Attorney General Sara Cable of AG Healey’s Consumer Protection Division, before the U.S. House of Representatives Subcommittee on Commerce, Manufacturing, and Trade, principal concerns with the bill 2015 include:

  • Vague security standards that leave consumers’ data vulnerable;
  • Omission of required notice to states for the vast majority of data breaches hinders any meaningful enforcement of consumer protection laws;
  • An infringement on the states’ consumer protection enforcement authority by preempting the application of state laws;
  • Insufficient penalties that leave consumers without a meaningful remedy; and
  • Data breach notice obligations which lack key information and safeguards for consumers.

According to a letter from the AG’s Office sent this week to the House subcommittee, while the stated purpose of the bill is to “protect consumers from identity theft, economic loss or economic harm, and financial fraud,” it would have the opposite effect. By preempting all state laws, including Massachusetts’ stringent data security regulations – regarded as a benchmark nationwide – the federal law would establish a vague national standard and limited state enforcement authority.

The AG’s Office enforces the state’s data security breach notification law, data security regulations, and the data disposal law, which require owners or licensees of “personal information” of residents to maintain minimum security procedures and policies to protect from anticipated threats and unauthorized access or use. Massachusetts law also requires prompt notice to affected residents and state agencies in the event of a breach of security.

From January 2008 through July 2014, the AG’s Office received more than 8,600 security breach notices, affecting nearly 5 million Massachusetts residents. As a result of investigations and enforcement actions brought to address a select number of these breaches, the AG’s Office has developed an expert view into the nature, extent, and frequency of data breaches, the risks faced by consumers, and the security practices and procedures that can prevent or mitigate those risks.

In its letter, the AG’s Office argues that the bill as drafted is harmful to consumers and restricts innovative states from protecting their residents from emerging threats to the privacy and security of their data. The bill instead should retain existing state and federal enforcement authority, and model its data security standards after those in place in Massachusetts and existing federal law.

The AG’s Office has led multiple investigations into potential violations of the state’s data protection laws, including multistate investigations into nationwide data breaches.

In February, AG Healey announced her investigation of a data breach at health insurer Anthem that has potentially affected tens of millions of its customers and employees nationwide. In January, online retailer, Inc. agreed to pay $106,000 and take actions to better protect consumers’ information following a 2012 data breach.

In December 2014, TD Bank agreed to pay $625,000 and strengthen its security practices after losing unencrypted back-up tapes affecting more than 90,000 Massachusetts customers. In January 2014, following Target Corporation’s announcement that the email information for approximately 70 million people could be affected by a data breach, the AG’s Office joined a multistate group to investigate.

For further steps to protect themselves, consumers may contact the Attorney General's consumer hotline at (617) 727-8400, or review identity theft protection tips at the AG’s website.