The office of Connecticut Attorney General (AG) George Jepsen has been at the forefront of state-led privacy enforcement issues for years, and Connecticut is widely considered to be one of the most active states in privacy policy and legal enforcement.  The Connecticut AG’s office was one of the first to create a special privacy unit in 2011.  And it was the first to exercise jurisdiction under the 2009 federal HITECH Act, which extends enforcement of federal privacy and security requirements governing protected health information to state AGs, suing Health Net in January 2010.

Jepsen has continued to be active in privacy matters since that time, advocating for an amendment to Connecticut’s breach notification law in 2012 to require notice of breaches directly to his office and leading major multi-state privacy investigations within the last two years. 

In this Q&A, AG Jepsen discusses Connecticut’s leadership role among the states in privacy and what trends he sees in state privacy law and enforcement.

The Privacy Advisor:
Your Privacy Task Force is one of the most “mature” of its kind among the states and has been involved in a wide variety of single-state and multi-state enforcement actions. What are the current areas of focus for this unit, and how have those changed since its inception? What can we expect from it in the next six to 12 months?

Jepsen:
The current areas of focus for my Privacy Task Force very much mirror those from its inception. The purpose of the task force from the beginning has been twofold. One, to proactively promote the protection of personal data and information, and two, to investigate any breaches of that information in violation of federal and state laws that require protection of that data or other violations of  privacy.

My office serves as a resource for individuals and businesses seeking assistance in protecting their own information and that of their customers in a challenging and evolving technological environment. A key responsibility of the task force has been to educate Connecticut residents and businesses about their legal requirements in this area and the implications of the use and storage of such information. I and task force members have spoken to trade groups and bar associations as well as participated in numerous panel discussions and presentations regarding data security and privacy in advancement of this important education objective. When breaches do occur or the privacy interests of Connecticut residents are otherwise implicated, the task force is responsible for all investigations by my office relating to potential consumer privacy issues.

The Privacy Advisor:
Connecticut has been part of several multi-state privacy investigations, including one concerning Google’s alleged circumvention of default cookie settings. It also had a substantial role in investigating the recent Target data breach. How important is multi-state cooperation in the context of privacy investigations, and how can businesses best respond to multi-state investigations—or avoid them altogether?

Jepsen:
Multi-state cooperation, particularly in privacy and breach cases, is often critical to our ability to fully investigate, understand and resolve investigations. It is the rare breach or Internet privacy case that is confined within any one state. Therefore, any settlement agreement or resolution will necessarily extend beyond a single state's physical border.

My office has very good working relationships with other offices around the country. Those relationships are productive and cooperative, focused on working together to achieve results wholly without regard to politics or party affiliation. Some investigations require the review of voluminous and often very technical information. Having the ability to share the workload and to solicit the input of others has proven very effective and allowed us to work more efficiently in certain matters than if we proceeded alone.

Incidentally, it also seems to be a well-received practice within the business community. Having a single group of AGs working together decreases the number of directions a business or law firm might be pulled in at one time. It is mutually beneficial. The business and its counsel have fewer balls to juggle, and our investigations move more quickly and coherently.

The Privacy Advisor:
Your office, like many AG offices, sometimes conducts informal inquiries before opening investigations or commencing enforcement actions. What tips do you have for businesses facing an informal inquiry? What are some actions or behaviors that trigger a formal investigation or enforcement action?

Jepsen:
Although it isn’t always easy to neatly classify the level of an investigation’s formality, there are certain instances in which we have proceeded on a more informal track. For instance, when I had questions for Google about Google Glass, I asked them to come in and discuss the product, its operation and the privacy controls in place to help protect consumers.

The resulting meeting and demonstration were immensely helpful. When we raised questions about the system in place to monitor third-party apps, Google agreed to manually review each app before allowing it to reach consumers.

The main tip I have is, frankly, be as honest and open as possible. I am not interested in "gotcha" moments, and I am not out hunting for headlines. If I write to you and express concerns, you can rest assured they are sincere concerns. In those instances, I really am interested in learning either why I should not be concerned or what we can do to address concerns that prove to be well-founded.

The Privacy Advisor:
In the nearly two years since entities experiencing a data breach have been required to notify your office, what trends have you noticed in terms of the breaches experienced and the entities and people impacted by them? Further, how has your receipt of these notifications influenced your privacy policy and law enforcement focus?

Jepsen:
In the first year when such notification was required, from October 1, 2012, to September 30, 2013, we received 427  reports of breaches of security. The breaches involved the personal information of approximately 587,955 Connecticut residents. On average, 781 Connecticut residents were affected by each breach.

Credit card companies reporting a breach by a participating merchant accounted for the largest number of reports, approximately 141. The retail industry submitted approximately 72 breach reports, some of which were duplicative of the card brand reports, followed by financial services companies with 71; health and insurance services with 42; restaurants with approximately 22, and educational institutions, with 71.

The number of breaches and the industries involved have helped us focus our resources more in the areas where we can most help consumers. For instance, the retail breaches are alarming, both in terms of the number of breaches and the number of consumers impacted, and have led us to think critically about what is/was being done to protect consumers and what can be done better.

The Privacy Advisor:
Florida recently amended its breach notification law, which now includes data security requirements as well as a 30-day time limitation on notification to the AG and affected individuals. The new statute, effective July 1, also includes, among other things, medical history in the definition of personal information and requires that an entity take reasonable measures to dispose of personal information that is no longer needed. Is Connecticut contemplating similar amendments?

Jepsen:
My office is always considering ways in which we can better protect the privacy of the citizens of Connecticut. In the ever-changing world of data security and privacy, this is often a difficult task, and we try to stay ahead of the curve as best we can. For instance, it is already a legal requirement in Connecticut to safeguard personal information from misuse and to properly dispose of documents or electronic data containing personal information. This law, Connecticut General Statutes § 42-471, went into effect back in 2008 and has served as the basis for recent settlements where the safeguarding of personal information was at issue.

The Privacy Advisor:
As you know, the Federal Trade Commission (FTC) also has been very active in the area of privacy, issuing reports and conducting workshops to study evolving areas in which privacy regulation may be appropriate—including in the areas of child protection, mobile apps, online tracking, credit scoring and concerning the so-called “Internet of things.” How closely does your office in particular--and do state AGs more generally—work with the FTC in studying trends in these areas and what joint activity may we see in the future from AGs and the FTC?

Jepsen:
My office has a very good working relationship with the FTC, having recently joined with it to file two lawsuits in Connecticut on consumer protection matters. We have not undertaken any efforts with the FTC focused specifically on studying trends in data security, although we have consulted and cooperated on individual breaches.

I’m certainly open to broader federal/state coordination of efforts. Some have suggested that federal law and federal enforcement should supplant the authority of state attorneys general on data privacy. I strongly reject that. Unfortunately, there is likely to be plenty of this work to go around for the foreseeable future, and Connecticut and others states have proven to be effective and experienced in this field.

As we have seen in the area of HIPAA enforcement since HITECH, the dual-enforcement regime has worked well and served to better protect our citizens' private information. States and the federal government should be regarded as partners, complementing each others' resources to advance the shared goal of privacy protection.