32 state Attorneys General to Congress: Don’t replace our stronger privacy laws!

Some 32 Democratic and Republican state Attorneys General have sent a strong letter to the bi-partisan sponsors of a draft federal data breach and data security bill. The weak, industry-backed proposal from Rep. Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) would override, or preempt, numerous better state privacy laws and, importantly, prevent states from ever again acting to protect their citizens' financial DNA better. We don't like the bill either.

A bipartisan group of 32 state Attorneys General, led by Illinois AG Lisa Madigan, sent a joint letter last week to the House Financial Services Committee leadership against the draft (link includes opposition testimony of Massachusetts Attorney General’s Office) “Data Acquisition and Technology Accountability and Security Act” that PIRG has also been opposing. The bill incorporates numerous aspects of previous Trojan Horse privacy laws pushed in Congress.

What has brought together 20 Democrats and 12 Republican state consumer cops against this bi-partisan proposal, co-sponsored by Congressman Blaine Luetkemeyer (MO-R) and Congresswoman Carolyn Maloney (NY-D)?

As the letter points out, the proposal “…appears to place Equifax and other reporting agencies and financial institutions out of states’ enforcement reach. This bill totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.”

The draft bill requires merchants, telecoms and some others to notify the public when they are hacked. But it exempts firms already covered under the Gramm-Leach-Bliley Act of 1999, which includes all banks and “other financial institutions”, including Equifax and the other big credit bureaus. Under GLBA, they do not have to provide breach notices, only breach response plans. It would also override and replace stronger requirements that many states already have in place.

More from the letter: “Consumers must know right away if their data has been compromised so that they can take pro-active steps to protect themselves from identity theft before it happens, not after the fact.” We agree!

In detailed testimony to the committee before the draft bill was circulated, U.S. PIRG outlined the numerous flaws in predecessor legislation. Privacy expert Laura Moy of the Georgetown University Law Center’s Center on Privacy and Technology explained to the committee that states are securing more kinds of information (locational and biometric, e.g.) and protecting consumers from many more types of harms, including physical harms (a domestic abuser could track a previous victim after a data breach). 

This bill is the worst of both worlds. If these industries want a uniform standard, which is often the selling point behind this and other bad federal data breach bills we’ve seen before, they could take the strongest state laws and apply them to all consumers across the country – they don’t need Congress for that. This is simply an attempt to set weaker federal laws as the ceiling for what states can do to protect consumers.


Mike Litt

Director, Consumer Campaign, PIRG

Mike directs U.S. PIRG’s national campaign to protect consumers on Wall Street and in the financial marketplace by defending the Consumer Financial Protection Bureau, and works for stronger privacy protections and corporate accountability in the wake of the Equifax data breach. Mike lives in Washington, D.C.