Colorado Attorney General Phil Weiser, elected to serve as attorney general in 2018, may be the most tech-savvy attorney general in the U.S. He also knows how to make data privacy and cybersecurity accessible and interesting, often invoking the Harry Potter character “Mad-Eye” Moody — and his mantra, “constant vigilance” — when discussing the topic with his constituents.

In addition to clerking for late Supreme Court Justice Ruth Bader Ginsburg, his experience includes teaching law and telecommunications at University of Colorado Boulder Law School and founding the Silicon Flatirons Center for Law, Technology and Entrepreneurship, as well as serving as a deputy assistant attorney general in the U.S. Justice Department’s Antitrust Division, senior advisor for technology and innovation to the National Economic Counsel Director, and dean of the University of Colorado Law School.  

The Privacy Advisor: Your legal career began with a clerkship for Justice Ginsburg, and you are her only former clerk (thus far!) to become a state attorney general. Ginsburg is well known for her robust advocacy for women and LGBTQ individuals, but she also encouraged listening and learning from opposing viewpoints. Having led bipartisan coalitions of attorneys general in the expansion of broadband connectivity and actions against robocalls, it is clear that you have embraced her example, employing both the gravitas, as well as the desire to work with your fellow attorney’s general (of both parties). Do you foresee bipartisan action on data privacy, and/or do you think both sides can listen and learn from each other to achieve consensus in this important and dynamic area?

Weiser: Data privacy is indeed an area where attorneys general of both parties are working together to advance solutions. In a number of current multistate cases, both on data privacy matters and cybersecurity issues, this shared commitment to protecting consumers is on display. As for listening and learning, I am a big advocate of an open door for affected parties to share their perspectives. Former Gov. Roy Romer, D-Colo., captured the value of this approach in explaining that “all truth is partial,” meaning that because no individual can see all of the truth, we can develop better solutions by being open to a range of perspectives.

The Privacy Advisor: You have been outspoken about passing a data privacy law in Colorado, along the lines of the California Consumer Privacy Act, in the absence of comprehensive federal privacy law. Although you have stated the need for an effective privacy regulatory regime, you also have recognized that unduly burdensome requirements may not be worth the effort. You have also emphasized the need for an adaptive framework that can be used to oversee emerging technologies (e.g., the Internet of Things) and build consumer confidence in data protection. How do you think — either federally or in Colorado — this balance can best be achieved?

Weiser: In an ideal world, Congress would be able to legislate effectively and develop a comprehensive privacy law. In the absence of federal leadership, however, states are able to act as laboratories of democracy. The California law, for example, has instituted a common sense and smart requirement that a company should be able to sell an individual’s personal information without a person’s awareness and consent. As federal or state privacy legislation is developed, it is important that the law be adaptive, focused on core principles, rather than prescriptive and rigid requirements. After all, technological circumstances can and will change; we need a legal regime that can change with it.

The Privacy Advisor: Cementing your role as one of the most technologically sophisticated state attorney’s general, one of your earliest actions was to set up an interdisciplinary Data Privacy and Security Impact Team. What role does this team have in your office, and how has its implementation benefitted your state?

Weiser: At the Colorado Attorney General’s Office, we are committed to bringing together professionals in our office who are working on data privacy and cybersecurity from a range of perspectives. Getting back to the “all truth is partial” theme, we can develop better approaches by bringing together the IT professionals in our office who work on cybersecurity, consumer protection enforcers, community engagement leaders, and lawyers who represent our state government on privacy and cybersecurity matters. This conversation means, for example, that we are developing our enforcement priorities with an eye toward knowing what is reasonable for our office to do. We also are committed to working to educate both our state government client agencies and private entities on what best practice looks like. In so doing, we are committed to listening to one another, working together to solve problems and learning from one another.

The Privacy Advisor: Colorado’s tech sector accounted for more than 14% of the state’s gross domestic product in 2019 and both well-established industry leaders and tech startups call Colorado home. What have you learned from your dealings with this sector that helps guide your role as the state’s chief legal officer?

Weiser: Before serving as attorney general, I spent two decades at the University of Colorado working with our technology sector on issues at the intersection of law, technology and entrepreneurship. My commitment to supporting an innovative technology sector and bringing an innovative mindset to all I do, including serving as attorney general is a continuation of my life’s work and experience. The biggest learning I take from my engagement with technology companies and entrepreneurs is to appreciate the value of experiments — taking a “lean startup” mindset, in other words. In setting up our Interdisciplinary Impact Team, we have demonstrated our willingness to experiment, and we will continue to do so.

The Privacy Advisor: Since 2018, when Colorado updated its data security and breach legislation, notices of data breaches to your office have skyrocketed. Notifying state attorneys general after suffering a breach is often a nerve-racking process for businesses. What practices do you recommend to those reporting data security incidents to your office, and what advice can you give to those facing a subsequent investigation?

Weiser: The most important advice I can offer is to work with our office in a straightforward and collaborative manner. It is critical to take responsibility and explain how the situation is being remedied. In cases where firms fail to do so and indeed engage in deception around their conduct, enforcers are most likely to take action.

The Privacy Advisor: Some attorneys general are considering or have proposed regulations or office policies providing businesses that suffer a data security incident with a safe harbor from state action if they have abided by certain cybersecurity frameworks and/or otherwise demonstrate good cybersecurity practices. The goal of a safe harbor, of course, is to encourage companies to implement strong cybersecurity practices to avoid preventable breaches and to focus state resources on truly bad actors. Do you think such a safe harbor could benefit Coloradans and have you considered creating one?

Weiser: In practice, we are interested and committed to working with firms who take responsibility and act responsibly. To that end, we will continue to develop guidance and educate companies on how they need to act. We are committed to reserving enforcement action only for those instances when companies act clearly and irresponsibly outside the scope of appropriate behavior.

The Privacy Advisor: What are your privacy- and data security-related priorities for 2021?

Weiser: We will work on continuing to develop appropriate guidance, support conversations around legislative reforms, and participate in enforcement actions that hold companies accountable for irresponsible actions that harm or threaten to harm consumers.

Photo by Andrew Coop on Unsplash