WASHINGTON, D.C.–Who protect’s your company from serious hacks and data breaches? Mississippi has laws that require companies that have been hacked to report it. Atty. Gen. Jim Hood says any laws that Congress passes in DC should add protection and not take it away.
Hood signed on to a letter to Congress, joined by attorneys general from 46 other states, saying Mississippi should have the ultimate authority when it comes to protecting Mississippi businesses.
Congress may be getting ready to consider and pass federal laws on reporting data breaches.
“In Mississippi, we hear about security breaches on a regular basis. Our office works to ensure that businesses are complying with our security breach notification requirements and providing appropriate levels of protection to consumers whose information has been exposed. If federal law took away state security breach laws like Mississippi’s, we’d be left without a meaningful method to make businesses take action in response to security breaches,” said Hood in the letter.
“As the vast majority of my colleagues and I have explained in this letter, any federal data breach protections should be an additional layer of protection for consumers,” said Attorney General Hood. “State laws already in place are critical tools that must not be preempted. Maintaining state laws in addition to any new federal legislation ensures that all breaches – no matter how large or small – can be addressed.”
The letter points out a number of concerns with federal preemption of state data breach and security laws, including:
- Data breaches and identity theft continue to cause significant harm to consumers. Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers – primarily financial account information, Social Security numbers or medical information. Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100 on average.
- Data security vulnerabilities are too common. States frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers’ personal information at unnecessary risk. Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.
- States play an important role responding to data breaches and identity theft. The States have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing important assistance to consumers who have been impacted by data breaches or who suffer identity theft or fraud as a result, and investigating the causes of data breaches to determine whether the data collector experiencing the breach had reasonable data security in place. Forty-seven states now have laws requiring data collectors to notify consumers when their personal information has been compromised by a data breach, and a number of states have also passed laws requiring companies to adopt reasonable data security practices.
The letter urges Congress to preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.
In 2005, 44 state attorneys general—including Attorney General Hood—wrote a similar letter to Congress calling for a national law on breach notification that did not preempt state enforcement or state law.
In addition to Mississippi, the other state and territorial attorneys general offices that signed today’s letter are: Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.