Mark Brnovich was inaugurated as Arizona’s Attorney General in 2015. He has prioritized data privacy and cybersecurity as AG, both within the state and as the current Chair of the Conference of Western Attorneys General (CWAG). His 2018 Chair Initiative for CWAG focuses on privacy, cybersecurity, and digital piracy, with a special conference to be held in Scottsdale, Arizona, on May 3 and 4. The Chair Initiative will include discussions among attorneys general on individuals’ privacy interests in personal information; how attorneys general can ensure that sensitive information is secure, including by updating state data breach statutes; and how attorneys general can combat digital piracy. Here, AG Brnovich talks to The Privacy Advisor about his focus on privacy and data security and how attorneys general are tackling those issues in their states.

The Privacy Advisor: You have chosen to focus your 2018 Chair Initiative for CWAG on data privacy, cybersecurity, and digital piracy. Why did you choose these issues, and what do you hope that you and other attorneys general will get out of the discussion?

AG Mark Brnovich: These topics allow us to consider the growing disregard for the privacy interests of our citizens. With the advent of new technology, Americans are storing and exchanging an increasing amount of personal data online, including sensitive financial information and medical records. While overall this technology is making our lives easier and more convenient, our data security laws have not kept pace with the changing landscape. The challenge for lawmakers is finding the delicate balance between fostering innovation and protecting the privacy and security of individual citizens. Policies need to be drafted in a manner that addresses privacy concerns while not imposing undue burdens on the private sector or denying opportunities to consumers. By bringing these topics to the forefront for CWAG, my goal is to work together to find creative answers to these complex problems.

Arizona Attorney General Mark Brnovich

The Privacy Advisor: The Chair Initiative will address the issue of how attorneys general can determine appropriate standards and protocols for the collection of personal data. attorneys general have often been at the forefront of data breach response, but have to date focused less on unfair data use. How would you like to see attorneys general involved in policy and enforcement surrounding this issue?

Brnovich: State attorneys general can play three key roles in this space. First, while we are not lawmakers, we can encourage our legislators and other policymakers to thoroughly understand this issue and craft legislative solutions. Second, we can prosecute entities that misuse and abuse personal data. And third, we can increase education to consumers, especially younger consumers, about the consequences of putting information online and “opting-in” to allow companies to sell or use that data for commercial purposes. The Facebook controversy has brought this issue to light for the average consumer, and we should build off that discussion. As consumers, we need to change our habit of skimming company privacy notices and should instead give careful consideration to the information we make publicly available. State attorneys general can play a role in encouraging this change by getting into their communities and educating citizens about safe online practices. 

The Privacy Advisor: The Chair Initiative will include a discussion of data security, including the idea that state attorneys general should take a careful look at state data breach statutes and update them if necessary. You previously signed a National Association of Attorneys General letter to Congress, joining 46 other state attorneys general in voicing opposition to a federal data breach law that would pre-empt state laws. Other attorneys general, including former California Attorney General (now U.S. Senator) Kamala Harris, have supported a harmonization of state breach laws that would ease compliance burdens while retaining standards that protect consumers. What is your stance on this issue, and how can state attorneys general collaborate on a workable solution?

Brnovich: Navigating a maze of more than 50 different notification jurisdictions can be difficult for a company dealing with a data breach. However, the proposals Congress has offered for a national solution so far would actually undermine the strong consumer protections many states already have in place, including those in Arizona. For example, one of the recently proposed bills entirely pre-empts the attorneys general notification requirements included in various state laws, but then offers a much narrower requirement in its place. Thus, if the bill were to be adopted, many state attorneys general would receive far fewer notifications of data breaches, inhibiting their ability to investigate, identify hackers, and offer protections to their citizens. Transparency and prompt notification to both the consumer and the state attorneys general’s offices are key components to any data breach policy, and anything less is unacceptable. The premise of a national solution may sound appealing because it could provide a consistent and reliable notification process for both consumers and businesses, but my priority will always be to ensure Arizona consumers are protected. My hope is to use the CWAG Conference in May as a forum for attorneys general to discuss and collaborate on this complex issue. 

The Privacy Advisor: The Arizona attorneys general’s office recently held a joint conference in Phoenix with the Federal Trade Commission, focusing on, among other things, how your office can work with the FTC to protect consumers and businesses, including educating them about scams and computer hacking. States often join forces with the FTC on privacy and data security matters. What role does collaboration with the FTC play in your office’s consumer protection and enforcement efforts?

Brnovich: We appreciate the ability to fight fraud alongside our federal partners at the FTC. In 2015 and 2016, in partnership with the FTC and other states, we were able to shut down four sham cancer charities that had collected over $180 million from consumers but had only given pennies on the dollar to cancer victims. We’re also improving our information-sharing with the FTC, which will allow our offices to better root out and eliminate consumer fraud in Arizona and nationwide. 

One recent FTC initiative that we’ve been supporting is the Class Action Fairness Project. Our office has led bipartisan efforts to protect consumers from being abused in connection with class action settlements, and we are excited that the FTC is also seeking to improve this process for consumers.

The Privacy Advisor: You recently joined over a dozen other states in asking the U.S. Supreme Court to review a settlement between Google and a class of users who alleged that the company sold their search terms containing personally identifiable information to advertisers. The class members would not receive any portion of the $8.5 million settlement, which would go to the attorneys and cy pres recipients from five organizations. You have also intervened in other class action settlements that you alleged did not adequately compensate consumers, including one in New Jersey in February. Have you found that cy pres arrangements and other settlements providing minimal relief to consumers have been problematic in privacy suits and in other areas?

Brnovich: Class-action settlement abuse is a major concern, and something we are leading a national, bipartisan effort to fight. It is important to remember the money that changes hands in a class-action settlement comes from class members releasing their claims. With that in mind, we gather these large coalitions of states to make sure that when consumers have their claims released, they get their fair share of the settlement value in return. Too often in privacy cases, we see large tech companies settle privacy actions in a way that releases tens or hundreds of millions of consumer claims in exchange for millions of dollars, and yet through cy pres divert all the money to universities or other third parties, leaving consumers with released claims and no direct benefit. Given that privacy violations often touch large numbers of people, we are particularly concerned about cy pres in these cases.

We led a 13-state, bipartisan coalition in speaking against a $5.5 million Google settlement in the Third Circuit Court of Appeals late last year, in which Google sought to release millions of consumer claims related to its electronic “cookie” placement practices without getting any of the money to consumers. And we similarly gathered a 16-state, bipartisan coalition in the Supreme Court in connection with the search term settlement you noted, which also provided millions of dollars and yet sent none of that money to consumers. This is an important and pressing issue as we see large companies run into more and more privacy problems; we cannot let consumers come out of these cases worse off than they went in, and so we will keep advocating for consumers in these class action cases. 

The Privacy Advisor: An Arizona bill now being considered, SB 1091, would make cryptocurrency a valid form of payment for state taxes and would make it equal to dollars for transactions in the state. Arizona’s HB 2417 previously confirmed that electronic signatures and smart contract terms secured through blockchain technology are legally enforceable, making Arizona one of the only states to take this step. Is there other state legislation or action on the horizon in these areas that has support, and what do you see as the advantages and disadvantages for Arizonans of embracing these technologies?

Brnovich: While we can discuss advantages and disadvantages, these technologies are not going away, and government regulators have to think proactively about how to work with them to encourage the good so we can promote innovation that will benefit consumers. That is the major driving force behind my effort to create a fintech regulatory sandbox in Arizona. And with the passage of HB 2434, Arizona is the first state in the country to create a fintech sandbox.

In our fintech sandbox that will be administered by my office, entrepreneurs and established businesses alike can seek to test financial products and services in the Arizona market. Subject to certain restrictions, including the number of consumers that can be served, loan amounts, and capped interest rates, entrepreneurs and businesses allowed into the sandbox can offer an innovative product before committing the effort and expense to become fully licensed under state law. After the testing period, which would be for a maximum of 24 months, the person or business in the sandbox can either wind down the product or apply for a license depending on the results of the test. We want to make Arizona an innovation hub, and we expect both consumers and the business community to benefit from the ideas that come out of the sandbox.

Another exciting aspect of the sandbox is that it will give our office the ability to enter into reciprocity agreements with other states or countries that have sandboxes. Reciprocity with other jurisdictions will allow entrepreneurs and businesses to extend the reach of their novel products and encourage collaboration across state lines, which will likely foster even greater innovation. The U.K., which operates what is considered to be the most sophisticated fintech sandbox, has also spoken of exploring the idea of a “global sandbox,” which conceptually, could open up Arizona to innovations we otherwise may not have the opportunity to see until the market develops further.

All of this is subject to these ideas being workable under our state consumer protection laws, which are very important to me. Under HB 2434, we incorporated existing consumer protection laws and even strengthened our ability to deal with consumer protection problems if any arise. But ultimately we want to be on the leading edge of thinking through these issues, and Arizona is interested in creating avenues for innovation rather than merely reacting to disruptive market forces, or worse, getting in the way of innovation that helps consumers.

The Privacy Advisor: What are your goals for attorneys general in the privacy and data security space in 2018 and beyond?

Brnovich: 2018 is the year to have some frank conversations about privacy and data security issues. In the wake of the massive Equifax data breach and now the Facebook privacy controversy, these discussions are timely and necessary. Over the last several years, state attorneys general have taken on an increasing role in addressing complex legal issues of this magnitude, and my goal is that protecting the privacy of our citizens becomes the focus of our next big bipartisan effort. 

photo credit: 3D Scales of Justice via photopin (license)