Following high-profile, large-scale breaches such as that of Equifax, there’s been increasing call to create federal legislation setting standards for notification, rather than just state laws which cannot address the national scope of incidents. But the attorneys general of 32 states have spoken up objecting to a bill to do that.
The Data Acquisition and Technology Accountability and Security Act would preempt state laws that require consumers and attorneys general be notified about data breaches. The group of state officials argues that removing those requirements would deprive them of valuable information and enforcement opportunities.
The bill would only address breaches of 5,000 or more consumers, leaving the many smaller, regional ones unreported. It would also allow companies to determine whether to notify consumers of a breach based on their own judgment. This reduced transparency would likely result in fewer data breach notifications being sent out to consumers who may be at the risk of harm, they argue.
“Instead, we believe there is a place for both state and federal agencies to act to protect consumers’ important personal information,” the group concluded.