States defend their role in protecting consumers from data breaches

As the U.S. Congress considers legislation to better protect consumers from the threats posed by data breaches and identity theft, the nation’s state attorneys general have delivered a unified message: Don’t pre-empt state laws. Forty-four attorneys general (including 10 from the Midwest) signed the July letter to lawmakers. “Additional protections afforded consumers by a federal law must not diminish the important role states already play,” they wrote.

Currently, 10 of the 11 states in the Midwest (all but South Dakota) have laws requiring consumers to be notified when a data breach occurs. In Illinois, a recently passed bill would expand the state’s notification law — for example, adding geolocation and consumer marketing to the definition of “personal information.” SB 1833 also would require entities that collect and store personal consumer data to adopt “reasonable security measures.” The bill was still awaiting the governor’s signature as of early August.

One potential benefit of federal legislation is improving the response to breaches that occur across state lines. Forty states, though, already participate in the Privacy Working Group, an organization that facilitates collaboration and joint investigations regarding data breaches.

Stateline Midwest: July/August 20153.49 MB