On April 6, during a panel discussion at the International Association of Privacy Professionals’ Global Privacy Summit, officials from the Attorney General offices of New York, Illinois and the District of Columbia highlighted the evolving focus of state Attorneys General from high-profile retail data breaches to breaches involving more sensitive personal data. Matthew Van Hise, an official with the Illinois Attorney General’s Office, noted that as retailers are becoming more sophisticated in implementing their payment card infrastructures, through chip-and-pin and other methods, state AGs are turning their attention to breaches of personal health information, Social Security numbers, and other highly sensitive data.
During the same discussion, Clark P. Russell, an official with the New York Attorney General’s Office, said New York and other states need to improve their data protection statutes to encourage companies to boost their security practices. The particular measure he mentioned, which the New York Attorney General proposed in early 2015, would set minimum standards for data security and expand the state’s definition of “personal information” to explicitly cover medical data and other categories of sensitive data. Currently, eight states and Puerto Rico include medical data in their definitions of “personal information.”
Mr. Russell’s comments provide insight into why state AGs are shifting their focus from payment card data breaches to breaches of more sensitive personal information: the situation with retailers is expected to improve. As the Payment Card Industry has encouraged nation-wide rollout of chip-enabled point-of-sale machines by shifting liability to non-compliant retailers, state AGs expect retailer data breach incidents to decline in frequency. Similarly, state AGs hope an increased focus on other types of personal information can lead to a decline in breaches of other highly sensitive data.
Philip Ziperman, an official with the District of Columbia Attorney General’s office, said during the discussion that state AGs heavily consider the degree of sensitivity of the breached data when considering whether to bring enforcement actions. “It’s largely based on how good or bad the facts are,” he said. Mr. Van Hise confirmed that state AGs are “shifting gears” to other types of data: “We’ve evolved a long way.”
Reporter, Tom Randall, Washington, DC, +1 202 626 5586, firstname.lastname@example.org