The recent data breach at Target highlights the growing role of states in protecting people's online data and privacy.
Attorneys general in Connecticut, Illinois and New York are leading a multistate investigation into December's cyberattack at Target, in which hackers stole the payment card numbers of at least 70 million shoppers, along with their names, mailing addresses, phone numbers and email addresses.
The state attorneys general pressed Target to offer one year of free credit monitoring to all customers, even those who were not affected by the data breach. “I would strongly encourage all Target customers to take advantage of this offer,” Connecticut Attorney General George Jepsen said earlier this week. Jepsen urged shoppers there to change their PIN numbers and passwords, and to “be vigilant when it comes to unsolicited emails and phone calls seeking personal information.”
Attorneys general also are advising customers to be wary of phony websites urging Target shoppers to give up personal information in exchange for gift cards or other compensation for the breach. Many new websites with “Target” in the name, such as “targetcreditfix.com” and “targetsecuritybreach.com” have been registered recently, according to California Attorney General Kamala Harris.
Most states have their own “security breach laws” requiring companies to notify consumers if their credit card numbers have been stolen. The strength of those laws varies, however. Meanwhile, even though federal authorities have launched their own Target investigation, there is no federal law that requires disclosure of security breaches.
“It's definitely true that there has been a vacuum at the federal level in terms of privacy legislation,” said David Jacobs, an attorney who specializes in consumer protection for the Electronic Privacy Information Center (EPIC) in Washington, D.C.
As Stateline has reported, debates about threats to privacy, ranging from drones to electronic license plate readers, are expected to loom large in statehouses in 2014. Americans' online activity is increasingly moving from desktops to smartphones and other mobile devices. This shift has created new privacy concerns, but the federal government has provided little direction.
Nearly two years ago, President Barack Obama unveiled a Consumer Privacy Bill of Rights as a “blueprint for privacy in the information age.” The House and Senate have proposed their own measures, but nothing has become law.
Since 2010, the Federal Trade Commission has been considering whether to give consumers a “Do Not Track” option that allows them to opt out of websites collecting information about their online activity, similar to the FTC's Do Not Call Registry, which allows consumers to opt out of most telemarketing calls.
While there isn't a federal data security breach law, the FTC has brought legal action against companies that violate consumers' privacy rights using a provision of the FTC Act, which bars “unfair and deceptive acts and practices in or affecting commerce.”
Last fall, for example, a company that markets video cameras consumers can use to remotely monitor their homes settled FTC charges that its lax security practices exposed the private lives of hundreds of people to public viewing on the Internet.
With action stalled in Washington, states are stepping up their efforts with new legislation, heightened scrutiny from state attorneys general and consumer education campaigns.
In 2002, California was the first state to pass an online “breach notification” law. Since then, 46 states and the District of Columbia have followed California's lead by requiring businesses and/or public agencies to notify consumers of security breaches of personal information.
Last year, California laid down new markers that other states are expected to consider this year:
“It's not uncommon for California to lead in privacy issues,” said John M. Simpson of Consumer Watchdog, a Santa Monica-based nonprofit group. Simpson said his organization is working on a ballot measure that would implement stricter Do Not Track protections.
Maryland is considering its own teen eraser law. That idea is among six recommendations for protecting children's online privacy that Maryland Attorney General Douglas F. Gansler presented late last year to the state legislature.
Gansler also wants Maryland lawmakers to consider prohibiting "cloud" service providers from using for commercial purposes any data they collect in Maryland public schools. Both Massachusetts and New York considered similar legislation last year that did not become law.
Businesses and advertisers contend it is difficult to comply with the patchwork of state privacy laws.
The Direct Marketing Association supports a national security breach standard, but thinks “self-regulation” is a better framework for Do Not Track issues since that option allows companies to respond more quickly to changing technologies than laws and regulations.
“The Internet doesn't stop at state lines,” said Rachel Nyswander Thomas, executive director of the Data-Driven Marketing Institute, an advocacy arm of the Direct Marketing Institute. Once “something passes in California … it becomes a de facto national standard” since many companies have customers in that state, she said.
An example of the “self-regulation” pushed by the industry is the Digital Advertising Alliance's global “AdChoice” program, known for its blue, clickable triangle icon that gives users a Do Not Track option. The icon usually appears near online banner ads or on the bottom of Web pages.
States have worked with Google, Facebook and others to make voluntary changes, but they also have turned to the courts:
Early last year, California Attorney General Harris released online privacy recommendations for mobile app developers. They include icons or pop-up notifications to inform consumers how their personal information is being collected and shared, and follow a 2012 app privacy agreement with Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion.
Meanwhile, Facebook and the National Association of Attorneys General last year released a public service announcement about online safety and stepped up consumer education.