New Mexico Attorney General Hector Balderas
SANTA FE ― Attorney General Hector Balderas Monday joined a coalition of 31 states and the District of Columbia urging Congress not to preempt state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.
Attorney General Balderas is currently investigating the Equifax data breach and has previously settled with Nationwide and Target for their breaches impacting New Mexicans. In their letter, the attorneys general argue that any federal law must not diminish the important role of states in addressing data breaches and identity theft, especially in states like New Mexico that have laws that provide greater protections than federal counterparts.
“Tens of thousands of New Mexicans have been victims of data breaches and it’s crucial that the federal government not stand in the way of the Office of the Attorney General’s work to hold giant, out of state corporations accountable when they put our citizens at risk,” said Attorney General Hector Balderas. “New Mexicans deserve the strongest protections against data breaches and I am urging Congress to protect our authority to protect New Mexico families and small businesses.”
The letter urges Congress to preserve existing protections in state law, ensure that states can continue to enforce breach notification requirements under their own state laws, and enact new laws to respond to new data security threats.
In part, the letter states:
“States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.”
The attorneys general point out a number of concerns with the proposed Data Acquisition and Technology Accountability and Security Act, including:
Reduced transparency to consumers: The bill allows entities suffering data breaches to determine whether to notify consumers of a breach based on their own judgment. The attorneys general argue that when a data breach occurs, impacted consumers should be informed as soon as possible.
Narrow focus on large-scale data breaches: The bill fails to acknowledge that most breaches are either local or regional in nature. The bill only addresses large, national breaches affecting 5,000 or more consumers and prevents state attorneys general from learning of or addressing breaches that are smaller but still cause great harm to consumers.