Chris Carr was sworn in as attorney general of Georgia in November 2016 after being appointed to fill his predecessor’s unexpired term. Carr, a Republican, was subsequently elected in November 2018 to serve a full four-year term. Prior to serving as attorney general, Carr spent six years working as chief of staff for U.S. Sen. Johnny Isakson, R-Ga., then served as commissioner of the Georgia Department of Economic Development from 2013 to 2016. 

Here, he discusses why he doesn't mind that his state doesn't have mandatory breach notification requirements and what he wants to see in a federal privacy law, should one come to fruition.

Attorney General Chris Carr

The Privacy Advisor: Georgia has a reputation of being very pro-business, a feature that you have embraced, as well. How do you think consumer-based privacy regulations impact business, either positively or negatively?

Attorney General Chris Carr: Having previously served as the commissioner of the Department of Economic Development, I’m very proud of our state’s success. We have a reputation for being a partner to the private sector and finding common-sense solutions that make Georgia a great place to live, work and raise a family. And, we are an intensifying hub for industries like cybersecurity, financial technology, health, information technology and the internet of things. In fact, our state now ranks third in the nation for information security, and we are home to approximately 115 information security companies with Georgia-based operations, generating more than $4.7 billion in annual revenue. And, more than 25% of the worldwide security revenue market share is generated by companies in Georgia.

All of which are true points of pride for our state. You don’t become a powerhouse without a great deal of partnership and collaboration. At the state level, we have focused and will continue to focus on workforce development, innovation needs, building constructive partnerships in and among the public and private sectors, as well as creating an environment that provides an overall business-friendly climate equipped to support companies like no other place in the nation.

The bottom line is this: Being pro-business is part of Georgia’s DNA. But what makes us unique is our sustained commitment to working with and listening to the mid- to long-term needs of business. I believe that what we are doing in Georgia can be an example for other states to follow. And, as Georgia’s attorney general, I apply that same pro-business philosophy to my role of ensuring we have a stable legal and regulatory environment that protects consumers and allows companies to thrive.

The Privacy Advisor: Data breaches continue to dominate the news, and recently Georgia had a leading role in the historic Equifax breach settlement. Georgia, however, has not enacted legislation requiring notification to your office of data breaches, regardless of their size. Even though such notification is not legally required, do you think it is important for companies suffering data breaches affecting Georgia residents to reach out to your office, and if so, how would they best make that outreach? Do you support expanded Georgia data breach notification laws to require notification to your office?    

Carr: An attorney general’s job is to protect the interests of the citizens of their state. That means engaging in investigating when and where appropriate. With that in mind, I’m also aware that there are good companies devoting countless resources to proactively protect data. In fact in my first year as Georgia’s attorney general, I conducted roundtable discussions with many of Georgia’s leading companies to learn more about how they’re confronting cybersecurity issues. Some are having to fend off 1,000,000 or more attempts a day, and they have to be successful 100% of the time, while the criminals only have to be right once. And, when the criminals do get through, in addition to dealing with the immediate implications to their operations and consumers, the companies are struggling to map out the intricate web of regulations for the regions in which they operate.

These are, generally speaking, extremely complex situations. So, when a data breach occurs, I am not going to immediately presume anything. But, there are two things that I believe must occur as quickly as possible. First, we must identify how the breach has impacted Georgians and work through our Consumer Protection Division, the legal divisions of our Department of Law, our law enforcement partners and others to ensure that innocent consumers are protected and taken care of. Because in the world we live in today — where identities can be quickly stolen, goods and services purchased, and irreparable harm done — the individuals whose data has been stolen, through no fault of their own, are the ultimate victims. We must not lose sight of that fact. Rightfully so, at times like these, consumers are scared, confused about what to do, and they’re angry about what has happened. We must keep their needs at the forefront and do all we can to assist them.

Second, we must commit to learning the facts. We must ask the following questions of the organization:

• What happened?
• When did the breach occur?
• What damage was done?
• Who was harmed?
• How many people did the breach impact?
• What were you doing to protect consumer data before the breach?
• And, in wake of the breach, what are you currently doing to alleviate the burden placed on the innocent consumer?

We cannot remedy past problems without knowing the facts, and likewise, we cannot prevent future problems without knowing the facts. And, we will not learn all the facts unless we work together — federal and state agencies, federal and state law enforcement, regulators and those who have been the targets of the breach.

In the wake of a breach, I do believe it is our office’s duty to uphold the law. I do not believe, however, that justice is done when, for example, businesses are disproportionately penalized for a breach occurring but can show that they were, in fact, proactive in preventing and rectifying issues. The public policy efforts in Ohio and others elsewhere [to put in place a safe harbor for businesses whose data security practices meet certain standards] are certainly interesting to think about, and I think these are the type of conversations we should have to give companies greater incentives to safeguard consumer data.

In fact, our Georgia Chamber of Commerce has shown interest in similar legislation in our state. At the end of the day, we must remember when situations arise that a crime has in fact been committed. State-sponsored actors, hacktivists, loose confederations of hackers and lone wolves often are the perpetrators behind these breaches. They are the criminals. Companies, government agencies and private individuals, they are the targets. We must keep that in mind and do all that we can to go after the criminals, stop them and learn as much as we can about how they operate; otherwise, this will continue again and again and more lives will be disrupted.

I realize that in the litigious society that we live in, it can be hard to come together at times like these, when breaches occur. But, the more we work together — the public and private sectors, companies and law enforcement, state and federal partners alike — the more success we will have in the long run of reducing the frequency of such breaches, minimizing the impact of these breaches and ultimately stopping them from happening.

So, yes, I do believe companies, in good faith, should coordinate with our office and other appropriate law enforcement entities in the wake of a breach.

And, as far as expanded data breach notification laws in Georgia, I think that is a conversation that we are willing to have with our state legislature and our business community, but I also believe that there is value in having the federal government provide consumers and companies more consistency and certainty, as well.

The Privacy Advisor: Discussions of a potential federal privacy law have heated up recently with the rapidly approaching Jan. 1, 2020, effective date of the California Consumer Privacy Act. Other states have proposed or passed similar legislation, and while there seems to be bipartisan support for a national privacy law in theory, Congress has not yet come to a consensus on what that law should look like, including on issues such as scope, preemption, enforcement by state attorneys general and the existence of a private right of action. As someone who may ultimately have authority to enforce such law, what type of privacy law would you like to see coming out of Congress?

Carr: I believe that to do right by our citizens, individual consumers, businesses and financial institutions it takes cooperation and education at every level: local, state, federal, private and public. We will all benefit from coming to a solution on a uniform and consistent regulatory framework.

I believe that any legislative or regulatory enforcement should be consistent with a few key principles.

First, we should employ a balanced approach that protects consumers and maintains an environment that allows businesses to grow without unnecessary and costly regulations stifling innovation. Regulatory burdens are real. They drive up costs. Drive down employment. And they slow economic growth and innovation.

Second, in the wake of a data incident, businesses may have to be held accountable, but they should not be disproportionately penalized when they, for example, are not negligent and come forth to disclose what has occurred and quickly take the proper actions to rectify weaknesses or errors. 

Third, we must encourage organizations to be proactive and to protect themselves and consumers through the most effective and up-to-date privacy measures.

Fourth, we must acknowledge the reality that these are evolving threats and that proper security measures must evolve with the threat. So from a governmental perspective, we should have a flexible legislative, regulatory or enforcement approach that allows for innovation and adjustments to counter these threats. Technology evolves at such a rapid pace, and any legislative or regulatory solution must be flexible enough to keep pace with the constant evolution of technology.

The Privacy Advisor: In the absence of federal privacy law, California and other states are passing their own, sometimes disparate, laws to protect consumer privacy. While states should certainly exercise their roles as laboratories of democracy to protect their citizens in whatever way they deem fit, when a state as large as California passes legislation, it often has the effect of becoming the national standard. As a result, citizens of Georgia and other states become subject to laws that they have no say over and for which their elected officials have no enforcement authority. What is your view of California or other states setting a de facto national standard in this way? 

Carr: We appreciate the consistency and uniformity of a federal approach to these types of standards. We all need predictability when dealing with privacy incidents which impact consumers in our states. A patchwork of different requirements across state lines makes it challenging to respond in the wake of data breaches and best protect the consumers in our states.

The Privacy Advisor: What can people in the privacy field expect from Georgia for the rest of 2019 and 2020?

Carr: I think people can expect that Georgia is going to be a constructive voice in these conversations. We will apply a balanced approach to any regulatory conversations in order to protect our consumers and provide flexibility for good companies to continue to innovate and serve customers. 

Photo by Wesley Tingey on Unsplash