If Sara Cable, CIPP/US, ran the world, every state attorney general’s office would have a data privacy and security division.
“There’s just so much work that needs to be done,” Cable said. And she would know. Cable was recently appointed chief of the new Data Privacy and Security Division within the Massachusetts Attorney General’s Office. “(Attorney General Maura) Healey has always cared very deeply about these issues, and I think it’s now become unavoidable to everyone that we are living our lives online. The protection of our privacy and data has become that much more imperative. And it constantly changes,” she said.
Cable has served as director of data privacy and security within the attorney general’s Consumer Protection Division since 2016, leading cybersecurity and consumer data privacy protection efforts. During that time, she served as lead counsel in Massachusetts’ lawsuit against Equifax over its 2017 data breach, negotiating an $18.2 million settlement, and has led several multi-state investigations of cybersecurity and data privacy incidents.
In creating the standalone Data Privacy and Security Division, Cable said Massachusetts joins a minority of states — primarily larger ones — that have a dedicated privacy unit, including California and New Jersey.
Given that Massachusetts — particularly the greater Boston area — is a hub for biotech and other industry businesses, Cable said a division dedicated to ensuring consumers’ personal data is protected is a “natural” step. The division will investigate and enforce the Massachusetts Consumer Protection Act and Data Breach Law to protect the security and privacy of consumers’ data.
While protecting consumers’ online privacy has always been vital work, those issues are now compounded by the pandemic, Cable said. Everything from entertainment to education is happening online in a way it never has before. Data security faces potential compromises, as well, with many employees working from home and children’s education happening remotely.
“I expect — and this is extremely unfortunate — but I think it’s realistic to say that over the next few months we are going to see bad breaches,” Cable said. “It’s inevitable that hackers are going to try to take advantage of the loosening of security policies in order to be able to work from home. So those are going to be issues all of the state (attorneys general) are going to try to grapple with.”
Certainly, part of the intent behind the division is to “ramp up” enforcement efforts where necessary, Cable said, adding enforcement “will continue and probably grow.”
Looking forward, she’d like the Data Privacy and Security Division to tackle another issue at the top of her list: ensuring machine learning and artificial intelligence algorithms don’t discriminate against individuals based on data that is protected by law, like race, national origin or age.
With no federal data protection law and few state laws, Cable said consumers don’t have a lot of power when it comes to their data or knowledge around what is being collected, who it is being shared with and how it is being used, and they need an advocate to “watch out for them” and ensure they can make informed decisions.
“I see this division as being an advocate for consumers, to empower them on the internet so that, in the commercial transactions they engage with online, they have confidence that those are being done safely and their data is being treated in a way they are aware of and that the material terms of the data exchange are obvious to them,” Cable said.
Joseph Jerome, CIPP/US, director of multi-state privacy at Common Sense Media, said the division is certainly a “positive signal” that “highlights the important role that attorneys general play in consumer protection and privacy enforcement. I certainly think it highlights that (attorneys general) are very interested in technology issues, they are very interested in privacy and that’s been a growing trend for years, certainly in the past few years.”
Indiana Attorney General Curtis Hill agreed. Data privacy has become a top priority in his office. His office has a data privacy and identity theft unit and is working to establish safe harbor standards that assist businesses with notification procedures and implementing corrective action in the case of a data breach.
Technology is advancing so rapidly, and bad actors are so advanced in using that technology to target consumers, Hill said, that states that don’t have a standalone data privacy division “will be woefully behind the times.”
“It is the thing that we have to deal with,” he said. “We’re going to see an absolute increase in the states that use data privacy as a priority vehicle for the protection of consumers.”
Jerome added that state attorneys general have been leading voices in conversations about privacy legislation, and Massachusetts’ division sets the state up nice for a comprehensive privacy law. California Attorney General Xavier Becerra has been vocal regarding the California Consumer Privacy Act, and in states that have considered privacy legislation, attorneys general have been involved in public testimony, engagement with stakeholders and more, he said.
“This is true in Washington state. It’s been true in Maryland and Vermont,” Jerome said. “I continue to believe that Massachusetts is an interesting place to proceed with more comprehensive or targeted privacy legislation.”