Connecticut's impact in the sphere of data privacy remains outsized in relation to its geographic footprint. As The Privacy Advisor: Acting FTC Chairwoman Rebecca Kelly Slaughter recently issued her first major statement on the FTC's enforcement priorities under the Biden administration, which included a focus on the anti-competitive nature of big data, as well as the use of artificial intelligence, particularly as they relate to misuse or abuse of facial recognition technologies. Do you expect your office to partner with the FTC or other states to oversee and implement these priorities? What other joint activity might be appropriate for state attorneys general and the FTC to pursue?
Like the FTC, my office is focused on addressing the anti-competitive nature of big data and thinking about how the law should apply to ever-evolving technologies. We also have a shared goal in ensuring that the use of artificial intelligence, including facial recognition software, does not go unchecked. If it did, this could result in serious privacy and civil rights violations.
The Privacy Advisor: What other data protection issues and topics are your focus areas of enforcement and priorities, and what other insights can you offer to privacy professionals and companies about what to expect in the upcoming year?
Tong: One area we are paying attention to is health care data privacy, a topic that is particularly important due to the pandemic. My office leads the National Association of Attorneys General Medical Privacy working group, and states have already been responding to the proliferation of data breaches involving sensitive medical information. With the surplus of data being generated with regard to COVID-19 exposure, infection and vaccination, we are also working to make sure that balance is achieved in having appropriate access to medical information so that the right people can help patients and the public while still securing that information and ensuring it is only used for the correct purposes.
There is also currently a focus on being proactive. When we are reacting, the damage has been done already — information has been compromised or a privacy violation has occurred. In our view, it is far more efficient to proactively ensure that privacy policies and practices comply with the law and are clear to consumers. With this in mind, we meet periodically with companies to discuss the privacy and security implications of upcoming or new products and services, and we have been able to have concerns addressed up front in a productive and cooperative fashion.
The Privacy Advisor: You're a veteran at cooperation with numerous federal regulators on enforcement activity. However, there is an increasing amount of municipality litigation, in which counties and cities, often using outside contingency fee counsel, take the plaintiff's seat in claiming damages on behalf of themselves and their residents for everything from climate change to data privacy breaches. For example, Chicago filed suit against Marriott for a 2018 security breach, claiming violation of the city's municipal codes in addition to violation of Illinois' consumer fraud and deceptive business practices acts – and in so doing, standing in the shoes of the Illinois attorney general in material respects. What are your thoughts on this trend, and how does it impact the work of your office?
Tong: Connecticut is currently one of the lead states in the multistate investigation of the 2018 Marriott, Starwood data security incident, so I will not comment on that specific matter.
Speaking more broadly, each state's consumer protection laws dictate who has standing under that law. In Connecticut, there is a private right of action under our Unfair Trade Practices Act. Any plaintiff filing under CUTPA must provide notice to my office and the Department of Consumer Protection so that we may monitor and, if necessary, intervene to protect Connecticut residents. Only my office has authority under CUTPA to bring enforcement actions on behalf of the state. Municipalities may bring private actions under CUTPA, seeking relief for the harm they have suffered, or my office may obtain relief for them through CUTPA enforcement actions.
The use of outside counsel very much depends on the matter and may be appropriate where certain expertise is needed or high resource demands are required. I'm happy to say that my office has a lot of attorneys who are recognized in their fields, but that expertise also places a high demand on those very same people. In Connecticut, where outside counsel is retained, we are very careful on how the fee structures are done to make sure that we have retained the right outside counsel at the right price with the right incentives to serve the public interest.
The Privacy Advisor: Earlier this year, you testified in favor of Connecticut House Bill 5310, An Act Concerning Data Privacy Breaches, proposing an update of Connecticut's breach notification laws. What provisions in the law were, in your opinion, the most important to change or add, and why?
Tong: One crucial update to Connecticut's breach notice law will be to expand its definition of "personal information." This definition is at the heart of the law and serves to trigger notice requirements, both to my office and to individuals whose sensitive information has been compromised.
As it stands, Connecticut's definition of "personal information" covers some of the most sensitive personal identifiers, including Social Security numbers and financial account information. However, these elements do not capture the full spectrum of information that may be used to perpetrate identity theft. To ensure that our breach notice law will better protect Connecticut residents, notice requirements must be broadened to include additional categories of sensitive information, including passport numbers, tax identification numbers, medical information, health insurance information, biometric data and online credentials. Without notice of breaches involving these elements, individuals could be left vulnerable.
Another key change is reducing the outside limit for notice of data breaches from 90 days to 60 days. Connecticut residents must be informed as quickly as possible when their information is at risk so they may take the appropriate action to protect themselves. A three-month notice delay is simply not acceptable in today's world, where identity theft or another misuse can take place days or even hours after compromise.
The Privacy Advisor: The legal landscape across the country is changing very quickly in regard to proposed to consumer and employee rights to personal data privacy, and cybersecurity requirements for those entities handling their data. Connecticut's state legislature established a Task Force Concerning Data Privacy in 2019 to study these issues. Will Connecticut join the ranks of states, such as California, in enacting consumer data rights protection laws anytime soon?
Tong: I strongly support legislation that would provide Connecticut residents with express and — frankly, overdue — privacy rights. My office has always maintained that consumers should have as much notice and control over the collection and use of their personal information as possible. Connecticut residents should be afforded the right to know, the right to correct, the right to delete and the right not to be treated differently if they exercise those rights. They should also have the power to stop businesses from selling their sensitive data.
Protecting consumer data privacy rights is a responsibility that my office can and will be ready to take on. I suspect we will see legislation on consumer data protection soon, and we want to make sure that when Connecticut enacts such a law that it is comprehensive and gives us the appropriate tools and resources to be fair, thorough and vigilant in this important work. It also needs to be written so that companies can comply and implement the necessary mechanisms to afford consumer protections. My office will continue to stay engaged with the legislature and stakeholders as it considers the critical components of a consumer data rights law in Connecticut.
The Privacy Advisor: To propose a common standard across those states still considering their next steps concerning consumer data protection laws, Consumer Reports has proposed their own Model State Privacy Act, which includes a private right of action for individuals. In Connecticut, would you prefer to leave enforcement solely up to government bodies, or would you want to allow individuals also to bring a private right of action, and why?
Tong: My office is working hard to hold companies accountable for violating privacy laws but defending the privacy rights of all Connecticut residents is a massive undertaking. If consumers have the ability to pursue appropriate remedies themselves, there will likely be more compliance through deterrence and enforcement. I do, however, believe that including the ability of the state to intervene is appropriate to ensure that, when necessary, the law is applied to protect all Connecticut residents, not just the litigants at hand.
The Privacy Advisor: There has been discussion of potential federal privacy law to be a guiding framework of standards for consumer data privacy. Many industry observers believe that it is a matter of time before Congress moves in earnest to construct such a law. What kinds of key provisions and elements would you prefer that such a federal law incorporate?
Tong: Federal legislation should establish a robust set of consumer data rights, mandate clear privacy notices to ensure consumers are aware of those rights and avoid a structure that places a too-heavy burden on consumers to exercise those rights. It should set strong requirements for data security measures to protect personal information and should apply to entities that receive data downstream.
I strongly believe that any federal privacy law must preserve a role for enforcement by state attorneys general. Connecticut and our sister states have proven to be nimble, effective and experienced in this field. We have often heard the argument that with different "cops on the beat," companies may be unfairly penalized. That argument has not been borne out by examples of our enforcement, including in other dual-enforcement regimes. Overlapping regulation among federal agencies and the states is nothing new. We share authority in well-established areas, like antitrust, consumer protection and Health Insurance Portability and Accountability Act enforcement. States and the federal government should be partners, sharing resources and complementing each other's work to advance the important goal of privacy protection.
Photo by Balazs Busznyak on Unsplash