Attorney General (AG) Lawrence Wasden is Idaho’s longest-serving AG, having served since his election in 2002.

Wasden has been a strong advocate of consumer protection issues related to privacy, such as marketing scams and Internet safety, particularly with respect to teens and children. He also has served as president of both the National Association of Attorneys General (NAAG), the nonpartisan professional association for state AGs, as well as the chair of the Conference of Western Attorneys General (CWAG), an educational association focusing on legal and policy issues of importance to states in the western U.S.  

In this interview, Wasden shares his views on the increased focus by state AGs on privacy enforcement and regulation as well as the changing landscape in data breach notification laws.

The Privacy Advisor: At a July conference of CWAG, Federal Trade Commissioner Julie Brill, who is a former consumer protection assistant AG in the states of Vermont and North Carolina with very strong ties to the AG community, issued a challenge to AGs to become more active in the area of privacy. While the Federal Trade Commission (FTC) traditionally has been the primary privacy enforcement agency in the U.S., Brill encouraged AGs to collaborate with the FTC and cooperate with each other on privacy investigations consistent with the FTC’s regulatory and enforcement efforts. Since then, there have been several multistate investigations in connection with high-profile retail data breaches. In addition, we’ve seen the Connecticut AG request meetings with several high-tech companies to discuss the privacy implications of their new products. Do you think this represents a shift in approach signaling that the states are getting more involved in privacy regulation or perhaps even rival the FTC’s authority in the area of privacy?

Wasden: I am not sure that this is a shift, as much as reaction to a problem that is concerning more of our citizens and businesses. Generally, state AGs are elected. The constituents of AGs are directly impacted and concerned by data breaches. Based on these concerns, AGs get involved in the areas that their constituents are most concerned about, which means privacy and data breach issues are receiving increased attention and focus. To me, it represents a very natural evolution within both the legal landscape and constituent relations. One thing is fairly certain, states can generally move much more quickly than the federal government in addressing these issues. The other aspect, and I think that this might be particularly appealing to our federal partners, is that by cooperating, the FTC and states have the ability to tap a broad array of sophisticated legal talent nationwide. This is not a matter of AGs seeking to “rival” the FTC’s authority. The FTC has the authority granted to it by Congress and the AGs have the authority granted to them by their legislatures, and both will endeavor to fulfill that assigned duty. Over the years, we’ve learned that cooperative work and assistance provides good results for our constituents.

The Privacy Advisor: A number of states have strengthened their data breach notification laws over the past year as well. Both Vermont and Florida added time limitations in their laws for when notification must be provided to individuals and to the AG’s office. Florida and California have expanded the definition of personal information. Iowa also amended its law to cover paper documents. Is Idaho considering amendments to its data breach notification law as well?

Wasden: I am not sure what Idaho is considering for its 2015 session, but the 2014 session saw the introduction of eight pieces of privacy-related legislation. The big issues in 2014 were not centered around data breaches but instead access to private data. For example, Idaho enacted legislation restricting access to prescription databases (HB 348) and student data (SB 1372). It is very likely that legislation will be introduced related to data breaches in the upcoming session, particularly based on the recent announcements by major retailers. To me, it is important that businesses interact early and often with those introducing the legislation to ensure what is proposed reflects achievable improvements and remedies for businesses and constituents. 

The Privacy Advisor: On the subject of data breach notification laws, Kentucky recently became the 47th state to enact such a law. With each of the state data breach notification laws slightly different from the next, do you think we need a uniform, federal standard in this area?

Wasden: I am reluctant to recommend a federal solution over a state solution. Some of the best consumer legislation, such as the Do-Not-Call list, came as the result of state-enacted legislation. I understand that these laws have differences, but those differences enable us to better learn what works and what does not. Consistent with this approach, many state AGs have developed working relationships within the business community that enable efficient problem-solving in these areas. Those relationships equate to trust between the AG, his or her constituents and the business community, affirming the importance of state-level problem solving in these areas.

To me, then, the better approach is to review the data breach laws, identify the best aspects of the existing laws and then proceed to amend the state laws so that they are more homogenous. For example, a consistent notification process from state to state seems practical, particularly since, in this day and age, it is likely that a breach will affect consumers in more than one state. To assist in this effort, it may be worthwhile to discuss the formation of a working group within NAAG comprised of state AG representatives and industry representatives to identify best practices, model legislation and amendments designed to achieve consistency.

The Privacy Advisor: In 2008, you created the Idaho Internet Crimes Against Children Task Force. The task force is focused on the online safety of teens and children and provides useful tips on web surfing, wireless network security and online gaming. Children’s online privacy typically has been regulated and enforced on the federal level under the Children’s Online Privacy Protection Act (COPPA). Recently, though, we’ve seen a few states become increasingly aggressive in their focus on children’s online privacy. Both New Jersey and Maryland have brought enforcement actions against companies over their alleged COPPA violations. California’s “Eraser Button” law, which requires websites to allow those under 18 to remove postings from their website, was recently passed and goes into effect in 2015. Given your state’s focus on children’s privacy and safety, is Idaho contemplating similar actions or legislation?

Wasden: As I indicated above, one of the big issues in Idaho last year was student data security. I don’t think that concern is going to go away. That being said, I don’t know that measures introduced in New Jersey, California or Maryland are likely to gain traction in Idaho. My office’s efforts have been focused on educating parents and teens with regard to responsible use of social networking. In essence, making good decisions or choices with regard to their participation and posting within these forums. That being said, I think that one of the best steps that a social media or networking business can take is to be proactive in allowing teens and their parents the ability to remove and shut down posts and information. In other words, take steps that make this legislation unnecessary. Social network participation should not be the “Scarlet Letter” of our children’s teenage years.

The Privacy Advisor: Your office regularly warns consumers about the various collection and billing scams conducted over the telephone and by email. Some of these scams involve the perpetrators posing as legitimate Idaho businesses. What types of responsive measures would you advise businesses to take in the event their names are ever pulled into one of these schemes? How important is it that businesses and state regulators cooperate in their response efforts?

WasdenThe best recommendation I can make is for the business to immediately demand that the offending entity cease and desist their efforts. It is also helpful to contact and copy the appropriate private and public entities to assist in shutting down the offending entity. For example, the Better Business Bureau, the chamber of commerce and the consumer protection division of an AG's office can all offer assistance in matters such as this. You may even want to ask for the issuance of a consumer alert.