“Call me soft-hearted, but my definition of harm goes well beyond the purely financial.”
Such was the kind of candid talk elicited from Connecticut Attorney General George Jepsen as part of a wide-ranging keynote conversation Friday at the second-annual IAPP Privacy Bar Section Forum in Washington.
“If you’d asked me when I was running for office in 2010 about privacy,” said Jepsen, “it would have been pretty far down my list of priorities. But I came into office in 2011 and hardly a week went by without a data breach cascading into my existence.” He realized that data breaches and other privacy issues first of all cut across all industries, and thus aren’t fit for concentrations in areas like health care or financial services, and that “the office was always being reactive to what was going on. There was no proactive activity at the time, and it became clear that this issues is all about prevention.”
That led to the hiring of Matt Fitzsimmons to lead a privacy and data security office, a road show intended to impress upon businesses the seriousness of data privacy, and a change to the breach notification law in 2012 requiring businesses report breaches to his office.
“Overnight,” Jepsen said, “the number of reported data breaches quadrupled to about 500 breaches per year. Most of them are no harm, no foul.”
“Overnight, the number of reported data breaches quadrupled to about 500 breaches per year. Most of them are no harm, no foul.” -Connecticut Attorney General George Jepsen
This has also led Jepsen to work with colleagues as part of multi-state investigations of data privacy issues, many of them generated as part of the National Association of Attorneys General privacy working group. He said most attorneys general just want to see that you’ve been transparent and genuine should a breach have occurred:
“How were you breached? When did you find out? How did you find out? What steps have you taken to notify the victims?” These are the questions, Jepsen said, you had better be able to answer in a hurry. “A lot depends on what was breached,” he said. “Is it credit cards, which are easily replaced, or social security numbers, which are quite another thing. What steps have been taken to make sure indivisuals are protected and how do we avoid this happening once again? We stress the importance of cooperating with us.”
Jepsen related a story about a large non-profit that lost an unencrypted laptop containing health information. “They self reported and we investigated and they said the things they would do, and said, ‘Don’t worry George, this will never happen again,’ and then we never spoke about it publicly,” he said. “And then the exact same thing happened and we weren’t quite so accommodating that time.”
He also noted the benefits of participating with multi-state investigations: For one thing, you may have not have deal with 50 separate breach-law interpretations. There can be one settlement to rule them all.
However, Jepsen said, he’s also not opposed to having federal legislation in this space, which would pre-empt local state laws — with a few caveats.
"There’s no way the feds are going to be investigating every small breach that might have a large impact. There’s no way they can investigate even a tiny fraction of them." -Jepsen
“AGs should retain enforcement power of that federal law,” he argued. “We’re just far more nimble. There’s no way the feds are going to be investigating every small breach that might have a large impact. There’s no way they can investigate even a tiny fraction of them.”
Jepsen also noted that working with an attorney general in the product development stage can head off enforcement actions in the future. He noted that Google brought him Google Glass while it was in development, and his office and others persuaded them to pre-vet apps for the product (never released in full production) rather than allow a wide-open marketplace. Similarly, he said, Apple brought forward the Apple Watch early in development for at least two in-depth conversations. “They had good answers for us,” said Jepsen, “and we let it go. We’re always looking for ways to build constructive relationships.”
If you want to comment on this post, you need to login.