For Immediate Release - July 07, 2015

AG Healey Calls on Congress to Preserve States' Authority to Enforce Data Breach and Security Laws

Co-Sponsors Multistate Letter Warning against Limitations on Ability to Protect Consumers from Data Breaches and Identity Theft

BOSTON – Leading a bipartisan effort to maintain strong state consumer protection laws, Attorney General Maura Healey today co-sponsored a multistate letter to the U.S. Congress, urging that any future federal data breach and security law allow states to enforce their own laws and not preclude their ability to enact new laws to address future data security risks.

Citing recent efforts in Congress to pass a national law on data breach notification and data security, AG Healey was joined by 46 other attorneys general in cautioning against a national standard that preempts stronger state data breach and security laws.

“Our residents need strong protections against data breaches and identity theft,” AG Healey said. “A weak national standard that deprives the states of enforcement authority would leave consumers without recourse or protection. Massachusetts is a leader in data breach and security law and we must ensure that federal law does not leave consumers vulnerable to identity theft and fraud.”

The multistate letter highlights the prevalence of preventable data security incidents and the harms they cause consumers, and emphasizes the leading role that states have played over the past decade in protecting consumers from the repercussions of data breaches. According to the letter, federal preemption of stronger state law would leave consumers less protected from the risks of data breaches and identity theft than they are now, especially for states like Massachusetts whose laws provide greater protections than federal counterparts. 

In March, the AG’s Office testified before Congress expressing concerns over proposed federal legislation, titled the Data Security and Breach Notification Act of 2015, arguing that it would establish a vague national standard and significantly weaken protections for Massachusetts consumers.

In 2005, 44 state attorneys general, including Massachusetts, wrote a similar letter to Congress calling for a national law on breach notification that did not preempt state enforcement or state law.

From September 1, 2007 through December 31, 2014, the AG’s Office received notice of over 9,800 data breaches, reporting over 5 million impacted Massachusetts residents. As a result of investigations and enforcement actions brought to address a select number of these breaches, the AG’s Office has developed an expert view into the nature, extent, and frequency of data breaches, the risks faced by consumers, and the security practices and procedures that can prevent or mitigate those risks.

Today’s letter, co-sponsored by Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.

For further steps to protect themselves, consumers may contact the Attorney General's consumer hotline at (617) 727-8400, or review identity theft protection tips at the AG’s website.