Josh Shapiro was sworn in as Pennsylvania’s attorney general in January 2017. Previously, he had served as a member of the Pennsylvania House of Representatives from 2005 to 2012 and subsequently as a member and chair of the Montgomery County Board of Commissioners. Among Shapiro’s top priorities as attorney general is protecting small businesses and consumers from scams and fraud, including repercussions from data privacy and security violations. Though he has served as attorney general for just over a year, Shapiro has demonstrated his commitment to these issues, having led the charge in investigations of high-profile data breaches since his inauguration. Here, Shapiro talks about his focus on reforming data privacy and cybersecurity policies and protecting consumers.

The Privacy Advisor: In March, you led a bipartisan coalition of 41 state attorneys general in sending a letter to Facebook CEO Mark Zuckerberg about the company’s business practices and privacy protections, following reports indicating that the data of millions of Facebook users may have been misused by third-party software developers. While Zuckerberg has faced tough questioning from Congress, what role do you and other state regulators intend to play in holding the company accountable? In light of what some view as a vacuum on the federal level in the ability to enact widespread reforms, such as an opt-in regime for data collection and sharing, will states be the leading force in regulating privacy in the U.S.?

AG Josh Shapiro: First of all, thanks so much for asking me to participate in this interview. The general public is starting to truly understand just how vital cybersecurity is in terms of protecting their identities, their data and their money, and the IAPP and its members are doing great work to safeguard all of our personal information.

The allegations about Facebook’s actions (or lack thereof) to protect our personal data over the past couple of years are truly troubling. We all joined Facebook — myself included — as a way to connect with our friends and families. We didn’t sign up to have our data mined for corporate profits or political gains by strangers who don’t have our best interests at heart. I intend to hold Facebook accountable for any violations of our privacy and consumer protection laws, but it is still early to say where we are going.

For some time now, state attorneys general have been at the forefront in seeking to ensure businesses properly protect consumer privacy and protect their data. My office is leading an investigation into the Equifax data breach, which exposed the personal information of at least 145 million Americans and 5.6 million Pennsylvanians.

One of the beauties of our federalist system of government is that when the federal government fails to enforce the laws, states can often pick up the mantle to seek justice for our citizens.

The Privacy Advisor: In one of your more recent investigations, you targeted a large-scale data breach and were joined by a bipartisan coalition of state attorneys general. In that action, you specifically highlighted that privacy and data security abuses affecting the elderly should be the subject of increased penalties. Have you seen this issue as a growing problem in your state? In light of the focus this year of the National Association of Attorneys General Presidential Initiative on elder abuse, do you see a new trend developing as state laws are deployed to protect the elderly?

Shapiro: Pennsylvania is home to 2.2 million seniors, the fifth highest amount of any state. Protecting seniors has always been a top priority in my office. Our Senior Protection Unit investigates abuse, neglect, financial exploitation and victimization of older Pennsylvanians. We also have public education programming tailored specifically to the needs of seniors, such as our Senior Crime Prevention University.

Pennsylvania has increased penalties for victims 60 years or older under the consumer protection law because this group of individuals is particularly vulnerable to being targeted by scammers. Our seniors fall victim every day to nonstop phone calls from criminals asking them for large sums of money, home improvement contractors taking advantage of them for repairs they do not need, and identity theft because of these breaches. Having spoken to my fellow attorneys general through NAAG, I can tell you that this is a priority for all of us.

My Office of Public Engagement conducts hundreds of educational events reaching tens of thousands of Pennsylvania’s seniors each year. Our goal is to give seniors the tools they need to protect themselves so that they can avoid falling victim to fraud and scams.

The Privacy Advisor: You have called on Congress to enact federal data privacy laws in an effort to provide uniformity and better protect consumers. However, you have also taken action to preserve Pennsylvania’s authority to enforce its own data breach notification law, opposing legislation in Congress that would pre-empt states’ data privacy laws. What do you envision as the cornerstones of federal data privacy laws, and how would they complement states’ data privacy laws?

Shapiro: It is crucial that states are able to step up when the federal government does not fully and effectively enforce the law. So, while it is important for the federal government to set national standards to protect consumers, it is equally important for states to be able to enforce these important data privacy laws.

In addition, there needs to be a safeguarding provision that holds companies accountable for their data security. We have seen major corporations who have experienced data breaches that should have never occurred. Look at Equifax — their only job was to protect our data, and they failed miserably. While not every breach can be prevented, companies have a responsibility to invest in their cybersecurity infrastructure. They need to be incentivized to put people ahead of profits.

The Privacy Advisor: In 2017, an unprecedented number of state attorneys general filed suit against corporations based on cybersecurity incidents that affected their constituents and violated their respective states’ data privacy laws. Can you speak to the legal and/or cultural shifts that resulted in this surge of litigation? How does regulatory action by attorneys general work in tandem with the increasing number of laws with private rights of action that are being exercised by the plaintiffs’ bar to sue over privacy violations?  

Shapiro: The sheer amount of data collected by so many different companies has entirely changed the scope of cybersecurity in America in the past few years. Gmail launched in 2004; Facebook became open to the public in 2006; Twitter didn’t even exist until 2006. Now, they’ve had over a decade to collect and store our personal information. As our lives have increasingly moved online, so too have the dangers that these companies will collect — and subsequently misuse or misplace — enormous amounts of our data.

Companies that track data are now on notice that not only are they are going to have to deal with litigation from private class actions, but attorneys general across the nation are going to be right there to investigate data breaches. Thanks to our efforts, companies who are affected by a breach are working faster to notify consumers about breaches to avoid violations of states’ data breach notification statutes.

The Privacy Advisor: You have observed that future cybersecurity incidents may be avoided if corporate culture is overhauled such that consumers are valued over profits. Of course, corporations must value profit to an extent in order to thrive. How can businesses strike a balance between these values, and what policies should they embrace to achieve the best outcomes internally and for consumers?

Shapiro: These companies need to be good corporate citizens. It is possible to do good while doing well. Companies used to value their employees and their customers, but the corporate get-rich-quick culture has caused many of them to start trying to squeeze every penny out of us with little regard for our well-being. Cutting corners may be profitable in the short term, but companies must have sound compliance operations and data safeguards in place to be successful in the long term.

If these companies only respond to their short-term bottom line at the expense of the welfare of their clients and customers, then I will make sure they feel the consequences of their actions. Companies must make protecting consumer privacy a top priority. That means investing real money into cyberinfrastructure. Far too often, we have seen companies proclaim that they take consumer privacy seriously when in fact they fail to spend even the bare minimum of resources to live up to those promises.

The Privacy Advisor: What are your priorities in the privacy and data security space for Pennsylvania, and what regulatory trends do you sense will emerge in the space generally, in 2018 and beyond?

Shapiro: I can’t speak for what legislators or regulatory agencies will do; my job is to enforce the law, not to write it. That said, I hope states will strengthen their privacy laws by requiring entities to notify consumers of a data breach as soon as practicable, without unreasonable delay and provide free corrective services to all consumers.

I have been out in front on privacy and data security since I took office, and I will continue to make it a top enforcement priority.

photo credit: dfirecop Pennsylvania State Capitol Harrisburg PA 1910 via photopin (license)