A recent lawsuit brought by the California state attorneys general accusing Kaiser Permanente of unreasonable delay in revealing a 2011 data breach to affected individuals, continues a rising trend of enforcement of consumer data privacy protections laws by state attorneys general. Traditionally, consumer online and data privacy protection enforcement has been dominated by the Federal Trade Commission (“FTC”). However, state attorneys general have increasingly become more involved in filing actions on behalf of consumers whose privacy rights have been impacted. With the FTC facing stiff challenges to its authority to bring consumer data privacy enforcement actions in the Wyndham and LabMD Inc., cases, state attorneys general are poised to take on a more prominent role in protecting consumer data privacy online. In many ways, state attorneys general possess more power to enforce consumer online and data privacy protections than the FTC and represent a formidable authority that organizations must consider when engaging in e-commerce.
The Kaiser Permanente case is just the latest example of how active state attorneys general are in data privacy protection enforcement actions nationwide. In The People of the State of California v. Kaiser Foundation Health Plan, Inc., the California’s attorney general, Kamala Harris, settled state unfair competition claims with Kaiser for $150,000 and Kaiser agreed to make improvements to its data security system. The settlement resolved claims that Kaiser waited four months to notify more than 20,000 current and former employees that their personally identifiable information (“PII”) had been compromised when an unencrypted hard drive containing the PII was purchased at a thrift shop in 2011. The court found that Kaiser had gathered sufficient information to notify some of the individuals after the recovery of the hard drive in December 2011 and prior to the end of its investigation in February 2012.
Many of the high profile consumer data privacy enforcement actions brought in the past year have been initiated by state attorneys general. In November 2013, 37 state attorneys general and the District of Columbia settled with Google for $17 million over Google’s alleged violations of various state consumer protection and privacy laws when it allowed third party cookies on Apple’s Safari browser after it told users that Safari’s default settings would block such cookies. In addition, state attorneys general for 38 states and the District of Columbia settled with Google for $7 million over claims that Google collected personal consumer data from unsecured Wi-Fi networks through its Street View vehicles. Other states have initiated investigations and enforcement actions against both nationwide entities such as Living Social and local entities who fail to maintain consumer privacy online.
Notably, state attorneys general from around the nation (along with the United States Attorney General) are currently investigating the Target data breach incident in December 2013 that affected over 110 million consumers. This investigation may be a precursor to significant enforcement actions by the state attorneys general collectively (or individually) against Target. Such a coordinated and widespread action by the state attorneys general would certainly signal to companies and businesses that state attorneys general are on the front line in enforcing consumer data privacy protections.
In general, state attorneys general have more tools available to them to protect consumer data privacy than the FTC, since Section 5 of the FTC Act limits the FTC to pursuing causes of action for “unfair or deceptive practices.” Most states already have analogous consumer protection statutes that allow actions to address unfair business practices, but many do not contain the same limitations on the recovery of monetary and civil penalties as the FTC Act. In addition, state attorneys general also have access to state-specific consumer data privacy laws (e.g., the Maryland Personal Identification Protection Act, the Massachusetts Data Privacy Act and the California Online Privacy Protection Act) that focus on the use and protection of consumer data, and notification when consumer data has been compromised. Further, state attorneys general may even assert claims for consumer data protection violations under various federal laws, such as the Health Insurance Portability and Accountability Act, which the FTC cannot.
Armed with these tools, state attorneys general have signaled their intent to increase their enforcement efforts and attention on matters involving Internet privacy and to use their arsenal to hold companies accountable when they breach consumer trust by mishandling consumers’ PII or misrepresenting their privacy practices. To that end, many state attorneys general have dedicated units that are responsible for investigations of consumer internet privacy actions. In addition, state attorneys general collaborate and coordinate efforts frequently on privacy enforcement matters that impact consumers in multiple states, as the prior Google settlements and current Target inquiries show.
Although enforcement actions by state attorneys general do not fundamentally differ in effect from enforcement actions by the FTC, the differences that do exist merit consideration by businesses engaging in e-commerce. For instance, actions by state attorneys general involve full blown litigation, which can be considerably more expensive than administrative actions or investigations brought by the FTC. In addition, state attorneys general actions subject companies to liability under a wider array of state and federal laws, thus increasing a companies’ exposure. Further, state attorneys general may seek damages and other forms of relief that are not available to the FTC and are not limited by the FTC Act. Significantly, companies could face individual lawsuits by the state attorneys general in each state in which it operates, if state actions are not consolidated. As a result, understanding the law and regulations that impact consumer data protection in each state where the company operates is critical to protecting against unwanted attention by state attorneys general.
While state attorneys general have demonstrated a willingness to work with companies who are transparent and forthcoming in their privacy policies and operations, companies that delay data breach notification, forgo implementing adequate data security measures, and misrepresent or lack transparency with respect to their privacy practices may draw the ire of state attorneys general. Ultimately, companies should consider how their data privacy practices might come under scrutiny, not only from the FTC but from the various state attorneys general. Companies that take a transparent and proactive approach to working with state attorneys general may prevent damage to their company and brand that could result from the mishandling of consumer personal data.