Those in the privacy law community will remember Danielle Citron’s seminal research on state attorneys general and their role in investigating privacy and data security breaches. I reported on that research back in June, 2016 on PogoWasRight.org.
As those who are regular readers of this site know, there have been more announcements of multi-state settlements this year in the wake of data breaches. This collaborative approach seems to be paying off for consumers, although it’s not clear how much actual benefit in the way of compensation affected consumers or patients may derive from such enforcement or settlement actions.
Theresa Defino has two articles in the December 18 issue of Report on Patient Privacy that are relevant to this topic. Both are now freely available online on JDSupra:
New Enforcement Threat: ‘Coordinated’ AGs Pursuing Settlements Following Big Breaches and
When AGs Call, Know When to Fight, When to Fold.
Defino reports:
Just two years after the first multistate agreement related to a data breach—the $900,000 settlement with Medical Informatics Engineering[4] —the AG community is now motivated and experienced when it comes to pursuing such settlements, explained Jonathan Skrmetti, Tennessee’s chief deputy attorney general. Covered entities (CEs) and business associates (BAs) that experience breaches affecting multiple states should expect attention from groups of AGs working together….
Specific advice to covered entities and business associates given by Skrmetti in the second article is something both in-house counsel and external counsel should carefully consider. Interestingly, Skrmetti gives entities the same advice this blogger has been giving them for years, including the advice that transparency and contrition make a difference, and
’Trying to minimize a breach “sends exactly the wrong message.”
As state attorneys general collaborate in investigating multi-state breaches, they fill an important gap in what the FTC and HHS can do in investigation and enforcement. And they remind us that a federal law that might pre-empt such activity is not in our best interest unless the federal law is stronger in consumer and patient protections than existing state laws, and unless the federal law doesn’t prohibit enforcement of the law by states.