Caveat Vendor
State Attorneys General Step Up Scrutiny of Data Breaches
May 08, 2013
M. Lily Woodland
As we’ve previously blogged here, here and here, privacy issues and litigation have become increasingly high priority and high visibility of late, as federal regulators and Congress push to update existing law or introduce new requirements, and plaintiffs’ attorneys continue to seek to certify privacy class actions. A request by the attorneys general of Maryland and Connecticut in response to a recent cyber-attack against an online company suggests that state authorities may become increasingly focused on this area as well.
To recap, most states have adopted breach notification requirements that require a company that collects and stores personal information to inform residents affected by the breach. In addition, many states, including Connecticut and Maryland, also require notice to their attorney general or other designated official. The notice requirements typically are relatively straightforward and notably brief.
To date, state attorney generals, with a few very notable exceptions, have not proven particularly active in addressing data breaches, but a May 1 response by the Maryland and Connecticut AGs to a company’s notice regarding the breach may signal a larger shift. The response requested a host of additional information, including (among others):
A detailed timeline of the incident, including when and how the intrusion was discovered and when and how the company learned the nature of the information comprised;
A breakdown of the total number of individuals affected in each state, the categories of information compromised and the number of affected individuals by category;
How the company determined that credit card and payment information was not compromised;
The types of information the company collects and stores, how it is stored, whether it is encrypted and whether it is separated from other data;
How long information is stored and whether and when it is deleted;
Copies of all privacy policies in effect at the time of the breach;
Copies of any security reports or forensic analyses, including any related correspondence and memoranda, related to the incident; and
An outline of any plan developed to prevent recurrence and a timeline for implementing the plan.
Doug Gansler, Maryland’s attorney general and the current president of the National Association of Attorneys General, has made online privacy a signature issue for the group. Our guess is that this type of request will become a more common response to companies’ notices of data breach in the future.
All of the information requested concerns issues that companies subject to a major breach already should have addressed or be in the process of addressing. Nevertheless, the AGs’ apparent newly inquisitive approach will have important ramifications. At the least, it will bring a sharper focus – and a possibly critical second opinion – to companies’ consideration of these issues. More interestingly, it may portend an effort by state officials to regulate in the guise of enforcement, by imposing mandates through an attorney general’s authority to prevent unfair or deceptive trade practices that state or federal privacy laws do not currently require. At a minimum, then, the detailed request for additional information provides interesting insight into what companies may expect in the future.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.