With continued inaction on a national data breach notification law at the federal level, states remain at the forefront of data privacy enforcement, including data breach notification laws. Beginning October 1, 2012, Connecticut follows on the heels of Vermont and California to join the growing list of states (AK, CA, IN, LA, ME, MD, MA, MO, NH, NY, NC, VT, and VA) that require a business that experiences a data breach that exposes personally identifiable information to notify the Attorney General, in addition to any affected citizens that the business must notify.
Connecticut AG George Jepsen lauded the new law, suggesting that it will assist in enforcement. Even without the new law, however, the Connecticut AG’s office (under both AG Jepsen and his predecessor, now-U.S. Senator Richard Blumenthal) long has been focused on data privacy and data breach notifications, and frequently has initiated investigations of data breaches (and posted on its website courtesy notifications it received). In this same vein, AG Jepsen last year created a Privacy Task Force, responsible for investigation of data breaches and other privacy violations, which will monitor the dedicated email address (firstname.lastname@example.org) his office established to receive notices of data breaches under the new law.
AG Jepsen is not the only AG to have a dedicated team focused on consumer privacy. This summer, California AG Kamala Harris created a Privacy Protection and Enforcement Unit, which enables the California DOJ to improve enforcement of privacy laws by consolidating all of the existing privacy functions of the office into a single unit and Indiana AG Greg Zoeller long has had an “Identity Theft” section that focuses on privacy and data breach matters. Massachusetts AG Martha Coakley’s office also focuses heavily on data privacy and data breaches, although still under the aegis of Massachusetts’ consumer protection division. Notably, like Connecticut, each of these states requires notification of data breaches to the AG.
Continued activity by AGs on the data privacy front likely will continue, given Maryland AG Doug Gansler’s NAAG Presidential Initiative for 2012 to 2013 (Privacy in the Digital Age), and we likely will see greater AG enforcement on this issue, as well as additional AG offices opening privacy protection units.
As a result of this continued activity, companies that hold consumers’ personal data should ensure that their privacy policies are up-to-date (including recognizing the new requirements in Connecticut, as well as Vermont and California) and strictly enforced and should remain cognizant of all of their obligations under the various state data privacy and data breach notification laws.
*Divonne Smoyer and Aaron Lancaster are certified Information Privacy Professionals (CIPP/US) by the International Association of Privacy Professionals and have significant experience helping clients develop policies and strategies for complying with data privacy laws and implementing industry best practices.