As high-profile data breaches continue to befall major companies, a flurry of actions by state Attorneys General — not that of Congress nor the Federal Trade Commission — continue to land the biggest data protection punches. Recent breaches suffered by Target, Uber, and Neiman Marcus have produced multi-state lawsuits from all over the country. This all begs the question: Is state data protection and privacy enforcement just a passing trend or here to stay?
On What Authority?
State Attorneys General act as key consumer protection advocates, wielding authority over data privacy through state consumer protection laws (often referred to as Unfair or Deceptive Acts or Practices, or UDAP, laws). These UDAP laws act as miniature versions of the FTC Act but feature one very important distinction with respect to punitive measures. While the FTC’s pursuit of civil penalties is a painstaking and circuitous process, UDAP laws provide a much more straightforward path by which state regulators can recover civil penalties. Recently, acting Chairman Joe Simons has publicly acknowledged the challenges faced by the FTC over its ability to defer bad action through civil penalties.
At the #ABAConsumerProtection conference, Chair Joe Simons discusses @FTC’s current effort to seek greater authority from Congress to obtain civil redress on #databreaches. This is critical to the deterrence of future breaches. #Cybersecurity
— Thomas Ritter (@CyberSecureAtty) February 5, 2019
Multi-state lawsuits by Attorneys General, on the other hand, stemming from allegations of UDAP violations can produce effective remedies. This is significant in instances where a business suffers an embarrassing data breach. The Pennsylvania Attorney General Josh Shapiro’s lawsuit against Uber is but one example.
Pennsylvania AG’s Case Against Uber
The Pennsylvania Attorney General’s suit against Uber exclusively arose out of the allegation that the company violated the Pennsylvania data breach notification law, the Pennsylvania Breach of Personal Information Notification Act. The law requires a business who suffers a data breach concerning Pennsylvania residents’ personal information to notify such residents without “unreasonable delay”. In Uber’s case, the company did not notify affected residents of the breach for more than a year. This untimely notice prompted Attorney General Shapiro to argue that each instance where Uber failed to notify a Pennsylvania resident constituted a separate violation of the Pennsylvania consumer protection law — the same law that provides a $1,000 civil penalty for EACH violation. It’s worth noting that at the time Attorney General Shapiro filed the lawsuit, an estimated 13,500 Pennsylvanians had their first and last names and their drivers’ license numbers stolen in the breach. With a $1,000 penalty per a possible 13,500 violations, Uber faced the realistic prospect of owing a rather significant penalty to Pennsylvania. When other states opened investigations of their own, Uber faced additional scrutiny from regulators all across the country and eventually found itself the subject of a multi-state lawsuit.
A Tried, True, and Expanding Formula
The failure to follow data breach obligations under state consumer protection laws continues to represent a tried and true formula for proactive Attorneys General. In fact, various state AG offices (like Connecticut) have gone so far as to form Privacy and Data Security departments and hire attorneys with data security expertise. With an increased emphasis on data protection and privacy, these departments take a special interest in breached businesses. In all, this interest has led to an assortment of multi-state investigations, lawsuits, and settlements arising out of big data breaches. The multi-state litigation against Uber resulted in a $148 million settlement with 51 participating Attorneys General. Less than a year earlier, 47 state Attorneys General reached a $18.5 million settlement with Target. And as recently as this month, Neiman Marcus settled with 43 states and the District of Columbia for $1.5 million.
This growing enforcement of data protection and privacy goes beyond just state consumer protection laws as well. Last month marked the first time that state Attorneys General joined together to file a federal lawsuit over a HIPAA-related data breach. Because state Attorneys General also have the authority to enforce federal privacy laws like the Health Information Portability and Accountability Act (HIPAA), twelve different states sued the company Medical Informatics Engineering, Inc. The complaint alleged numerous violations of HIPAA and other state law claims under UDAP and breach notification statutes.
It’s safe to assume that state Attorneys General will continue to take action on the data security and privacy front in the near future. In fact, new state privacy legislation like the California Consumer Privacy Act makes enforcement at the state level all but a certainty.