The U.S. Capitol in Washington, D.C.

WASHINGTON (Legal Newsline) - A group of 47 state attorneys general sent a letter to members of Congress Tuesday, urging the federal lawmakers to maintain the states’ ability to enforce their own laws that protect consumers from data breaches and identity theft.

Congress has introduced a number of bills on data breach notification and data security; however, many remain in a holding pattern. Most of the bills preempt state laws.

In their letter to House and Senate leaders, the attorneys general argue that enacting legislation that includes a preemption provision would make consumers less protected than they are currently.

“Our constituents are continually asking for greater protection,” the five-page letter states. “If states are limited by federal legislation, we will be unable to respond to their concerns.”

The attorneys general argue that states are the ones “on the front lines” in terms of helping consumers deal with the repercussions of a data breach.

Attorneys general regularly investigate the causes of data breaches to determine whether data collectors who experience a breach used reasonable data security practices and notified consumers of the breaches according to the requirements of state law.

States began adopting data breach notification laws in 2003, and some have since required data collectors experiencing breaches to directly notify the attorney general in order to respond more quickly to concerned consumers.

For that reason, any federal legislation should be “tailored to ensure complementary enforcement authority,” the attorneys general argue.

That includes continued flexibility to adapt state laws to respond to changes in technology and data collection and to place requirements on data collectors that go beyond those required at the federal level.

“Protecting consumers is a top priority for my office, and I want to make sure the federal government doesn’t stand in the way of that,” West Virginia Attorney General Patrick Morrisey said in a statement.

“Data breaches and identity theft pose significant and increasing threats to consumers, and while these federal proposals may be well-intentioned, they stand to hinder our local efforts to combat and warn consumers of these threats.”

West Virginia joined 46 other state and territorial attorneys general in signing the letter. The others include: Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts, Nebraska, Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia and Washington.

“Data breaches are increasingly threatening our financial security,” Illinois Attorney General Madigan said in a statement. “States absolutely must maintain their authority to serve as a frontline responder to assist residents in the wake of data breaches to help minimize the threat of identity theft.”

In 2005, 44 state attorneys general wrote a similar letter to Congress calling for a national law on breach notification that did not preempt state enforcement or state law.

“In the intervening decade since the prior letter, states have further proven these points, as offices of attorneys general have played critical roles investigating and enforcing data security lapses and responding to identity theft and consumer fraud on behalf of constituents,” the attorneys general wrote.

“At the same time, state legislatures have continued to pass significant, innovative laws related to data security, identity theft, and privacy.”

To read the complete letter, click here.

From Legal Newsline: Reach Jessica Karmasek by email at

More News