Madigan testifies in D.C. as Congress considers data breach notification law

Following what has been termed “The Year of the Data Breach,” Illinois Attorney General Lisa Madigan (D) testified before the U.S. Senate Feb. 5, calling on Congress to enact a strong, meaningful federal data breach notification law that provides greater transparency for data breach victims and regulators to better understand what information was compromised in a breach, how it occurred and whether adequate security measures were in place to protect customer information.

“Congress should seek to pass legislation that ensures notification of breaches that can harm Americans,” Madigan said. “A weak national law that restricts what most state laws have long provided will not meet Americans’ increasing and rightful expectation that they be informed when their information has been stolen.”

Madigan testified before the Senate’s Subcommittee on Commerce, Science and Transportation in a hearing titled “Getting it Right on Data Breach and Notification Legislation in the 114th Congress.” The epidemic of data breaches has grown over the past decade, now affecting almost every American consumer and inflicting billions of dollars of damage to the U.S. economy.

Since 2005, almost 4,500 publicly known breaches have affected more than 900 million consumer records. In 2013 alone, Madigan’s office saw a 1,600 percent increase in data breach complaints compared to the year before.

Madigan called on members of the subcommittee to authorize a federal agency to investigate large, sophisticated data breaches, akin to the National Transportation Safety Board’s role in aviation accidents. A single federal entity authorized to investigate data breaches would provide expertise in data security for the country to better protect American consumers.

The Attorney General also testified that a federal data breach law must cover a range of sensitive data — not just Social Security numbers or stolen credit card numbers, but also online login credentials, medical information shared on the Internet that is outside the scope of current privacy regulations, biometric data and geolocation data. Companies must be required to report any data breach involving this type of personal information, Madigan said.

Equally as important as Congress considers a federal data breach notification law, Madigan said, is the ability for state regulators to continue investigating data breaches at the state level. Federal legislation must not preempt the states’ ability to respond and act when data breaches affect residents in their states. Any preemption by Congress must only provide a “floor” for reporting requirements and preserve a state’s ability to use its consumer protection laws to investigate data security practices and enforce federal law.

Madigan has launched numerous investigations into whether businesses and health care providers are adequately protecting consumers’ data. She is leading investigations into large data breaches reported since 2013, including Target and Neiman Marcus. In 2005, Madigan led the effort to enact a state law to require companies to promptly notify their customers of data breaches to ensure consumers know when their sensitive data has been compromised.

The Attorney General also supports her office’s Identity Theft Unit, which staffs a statewide hotline (1-866-999-5630) to provide one-on-one assistance to victims of identity theft and data breaches. The ID Theft Unit has helped reverse more than $27 million worth of fraudulent charges on more than 37,000 Illinois consumers’ accounts.