Tennessee Attorney General Herbert Slatery has served the citizens of Tennessee since 2014. Unlike most of his fellow attorneys general in other states, who most often are elected by voters, he (and his predecessors) was appointed by the Tennessee Supreme Court to serve an eight-year term. He is well known and respected by his fellow attorneys general across the U.S. and often works on complex, bipartisan multi-state investigations on matters of keen national importance, including opiate addiction and competition in the technology sector.
As the chief law enforcer for the state of Tennessee, he also has consumer protection, including consumer privacy and cybersecurity, as a top priority for Tennessee citizens and businesses.
Here, he shares his thoughts on privacy in the states, prospects for "federalization" of privacy standards and enforcement, and what states are doing to address concerns concerning data collection and (mis)use in the interim.
The Privacy Advisor: With the new Biden administration and the passing of the torch from one party to another, how is your office preparing for this shift, and what is your prediction on what will change in privacy enforcement from the federal level? What else can you share with privacy practitioners and businesses about what to expect from your office in the coming year?
Slatery: This office has always had strong working relationships with our federal partners over several years and several administrations. I anticipate these relationships will continue to grow as each of us needs to address crucial issues surrounding antitrust and related data privacy concerns. We have also enjoyed successful bipartisan collaboration among the various state attorneys general on these issues. There is no sign of any change in that bipartisanship regardless of the national political situation.
I hope the Biden administration and U.S. Department of Justice continue to prioritize the pending antitrust cases against Google and Facebook and that they focus on stronger enforcement of both antitrust and consumer protection laws in the digital arena. This office will always pursue important privacy-related cases, large and small. I have always thought we punch above our weight as attorney general offices go, and our goal is to keep on doing so.
The Privacy Advisor: After the passage of the California Consumer Privacy Act and EU General Data Protection Regulation, the federal government has also begun considering a potential federal privacy law, holding hearings and announcing proposed legislation on key issues such as preemption, enforcement and the possibility of a private right of action for enforcement. Do you believe that a federal law will be an effective way to protect consumer privacy? What type of privacy law, if any, would you like to see come out of Congress?
Slatery: The odds for federal privacy legislation are fairly good in the next few years. A single strong, comprehensive and bipartisan federal privacy law would provide more certainty and decrease compliance costs for businesses while ensuring uniform protection of consumers. But any federal privacy law should allow for state attorney general enforcement, consistent with comparable laws involving data privacy, such as the Health Insurance Portability and Accountability Act and the Children's Online Privacy Protection Act.
The Privacy Advisor: 2020 was a sea change for how we all do business and increasingly all remotely. COVID-19's broad impacts continue to be felt, with many data privacy implications for companies shifting work to the home office and in greater processing of sensitive personal health data, including contact-tracing information. Even children's personal data is implicated by the new reality of remote schooling, and through all of this, we are increasingly finding out about vulnerabilities as we go. What are your office's concerns and areas of focus in response to these developments?
Slatery: Like everyone else, this office had to start working remotely and fortunately did so very successfully. I'm grateful for how well our attorneys and staff have adjusted to the temporary realities of the COVID-19 era. Making it all possible was our information systems team, which has done an incredible job keeping our network functional and secure. We had to deploy and upgrade laptops, expand our virtual private network, and learn new applications, like Zoom, WebEx and Microsoft Teams.
The IS team is continuously monitoring threats and providing guidance to all employees on a range of matters. However, we realize that many private companies and entities in the public sector, including schools, struggle to meet this moment. Not all vulnerabilities can be easily spotted or anticipated. That is why we continue to monitor data breaches and COVID-19-related security issues that come to our attention and work together with other states to address issues as they arise.
The Privacy Advisor: There has also been an increasing number of state-level laws introduced around data privacy, but the biggest name has to be the CCPA, which will, in just under two years, be replaced by the California Privacy Rights Act. Both provide a robust set of consumer data privacy rights around accessing and deleting personal information, with detailed requirements and timelines for answer data subject access requests, among other provisions. Has your office considered taking on similar comprehensive privacy law for Tennesseans? If so, what aspects of the law do you most agree with and want to see in a Tennessee version? Conversely, what other aspects would you like to leave behind?
Slatery: Traditionally, the attorney general's office in Tennessee does not initiate legislation except in limited areas, although we often consult on bills that impact this office. I believe strongly that an individual's data belongs to that individual. Companies do not have the right to take that information, resell it, and otherwise monetize or manipulate it without informed consent. And I mean actual informed consent. Important strides have been taken by our fellow states in passing legislation affirming the primacy of individual rights in this area.
If new privacy legislation were to come before the Tennessee General Assembly, I would hope that it would contain provisions allowing consumers far more granular control over the data that companies collect from them. This includes the ability to know what data companies have and what they do with it and the right to have data deleted or opt out altogether from data collection.
I also believe consumers should have to give informed consent before their data can be used and that there should be easy, centralized ways for consumers to opt out of the sale of their data. As tech platforms become more and more consolidated, the sale of data is a less pressing concern. It is the raw collection of so much data by a handful of extremely powerful entities that demands the most attention. At the most basic level, a lot of consumers still do not realize how or why their data is being collected in the first place or how valuable it is to companies and data brokers, and we need to change the ground rules in these relationships.
The Privacy Advisor: The recent SolarWinds event brings home the fact that many organizations are trying to do the right thing. Fix vulnerabilities by ensuring their software is up to date with the latest patches to protect their information assets and personal data. However, it still wasn't enough to prevent the breach. Ohio's data breach law provides a "safe harbor" against some breach claims if the organization has "industry-recognized" cybersecurity frameworks designed to protect confidentiality and security of information, as well as sufficient administrative, technical and physical safeguards. This safe harbor seems to recognize that sometimes organizations can try their best to protect their data and perhaps that no security program is entirely foolproof. Is this a concept that Tennessee has or would consider incorporating into their data breach laws, and why or why not?
Slatery: This office applauds companies' efforts to tackle data security incidents — especially those with national security implications — head-on and as transparently as possible, quickly disclosing necessary information to their customers and consumers while working with attorneys general and other law enforcement to prevent additional damage. When we all — public and private sectors alike — work together to address the fallout from data security incidents, we are the stronger for it. In terms of legislation, while this office does not normally draft or propose legislation,
I believe Tennessee legislators want to help and reward businesses that are being vigilant about protecting the data in their control. Businesses need to create and implement information security programs to protect the confidentiality and integrity of consumers' personal information with the appropriate safeguards. However, there are times when even a business with the best cybersecurity can be attacked by a hacker that is a sophisticated state actor or part of a criminal organization.
These attackers use cutting-edge techniques that could not necessarily be anticipated. While there is no legislation pending so far this year that would add a safe harbor component to our data breach laws, we do track what happens with other states, and I am very interested in seeing how the safe harbor statute plays out in Ohio and any other states considering similar legislation. In the meantime, our goal in addressing data breaches is to protect consumer privacy by disincentivizing irresponsible behavior by companies that hold sensitive information. We do not want to indiscriminately pile on to companies that have been victimized by sophisticated attackers. Effective enforcement in this area requires an appreciation for nuance.
The Privacy Advisor: Tennessee joined with 42 other state attorneys general in a detailed 2019 letter to the Federal Trade Commission about priorities for enforcement, many of which related to data privacy and practices for collecting and selling data. This letter was very positive about the "robust cooperation" between the state attorneys general and the FTC and building on that historical cooperation. Additionally, we have also seen that Tennessee has been at the forefront of many multi-state attorneys general investigations on data breaches impacting different states. Can you share a bit more about what you think the trends will be to come on these fronts regarding how they will direct their time and resources?
Slatery: This office's top priorities in the privacy sphere are our antitrust lawsuits against Google and Facebook. Working together with a bipartisan group of state attorneys general and in coordination with the FTC and Department of Justice, we are seeking to check the monopoly powers of these dominant digital platforms. It is imperative we restore competition to the marketplace. The extraordinary concentration in the tech industry has led to an abrupt decline in privacy as consumers effectively have no choice but to surrender their data and their privacy to have access to basic digital goods and services. Control over consumer data is crucial to these companies' dominance over potential rivals and consumers alike. Only rigorous enforcement of current laws — and, potentially, the development of new laws — will enable us to protect our economy and our citizens.
Top photo by Tanner Boriack on Unsplash