Vol. 55 No. 4

Trial Magazine

On the Hill

You must be an AAJ member to access this content.

If you are an active AAJ member or have a Trial Magazine subscription, simply login to view this content.
Not an AAJ member? Join today!

Join AAJ

Data Security Bills

Brian McMillan April 2019

After Equifax, Facebook, Google, Marriott International, and other corporations had to answer for breaches of hundreds of millions of users’ personal information, a normally divided Senate agreed that data security and overhauling privacy law were immediate priorities. After major pro-corporate industries and tech companies also agreed, AAJ started paying even more attention. AAJ members represent consumers injured by breaches of private information, so Public Affairs is carefully tracking and weighing in on all proposed legislation.

An influx of bills. After multiple hearings in the Senate and House of Representatives, stakeholders, consumers, and other interest groups nationwide circulated legal principles on protecting information, data collection, and liability for breaches. Most bills follow a similar framework combining robust federal enforcement with some assistance from state attorneys general to administer federal requirements for notice and handling a breach of consumers’ personally identifiable information and data.

Two common issues of concern arise in most federal bills: preemption and agency enforcement challenges.


State and common law sometimes are the only avenues available to hold entities accountable when personal information is compromised.


Preemption. AAJ members rely on important state statutory and common law principles to bring actions for data breaches, inadequate notifications, and bad data security practices. Without any federal rules or remedies, state and common law sometimes are the only avenues available to hold entities accountable when personal information is compromised. It is vital that these causes of action are not eliminated at either the federal or the administrative level through explicit legislative language or judicial interpretation.

Court-created implied preemption has invalidated state and common law in similar instances—such as failure-to-warn labeling claims against drug companies—even when a federal law had clear language directing the opposite. AAJ is concerned that legislation providing an agency with unchecked power to promulgate preemptive rules will substitute state and common laws with weaker federal rules and remedies.

Enforcement challenges. The Federal Trade Commission (FTC) has general jurisdiction over privacy and data security issues at the federal level. But FTC commissioners recently stated that inadequate resources, statutory burdens, and other limitations make agency enforcement extremely ­difficult. It is unlikely that the FTC alone can provide appropriate ­oversight to protect consumers, which is why federal legislation must not restrict our members from enforcing important consumer protections at the state level.

We also are looking for proactive ways to include positive language that will expand consumers’ enforcement rights in the event of a data breach, as well as legislative text that creates ­up-to-date definitions for breaches and both physical and economic injuries. Legislative language should reflect the reality that a breach is an injury, especially with the substantial threat of private information being used to harm the consumer. Additionally, we’ll look for ways to prohibit the use of forced arbitration in an entity’s terms of service to ensure that corporate contracts cannot replace congressional intent to expand consumer rights.

Next steps. We are meeting with both Senate and House members to advocate that preserving state claims must remain a priority. It is likely that many bills will be considered, and several general ­hearings will be held on a variety of data breach, notification, and privacy topics. Primary congressional committees of jurisdiction, which include the House and Senate commerce committees, may eventually combine several smaller bills into one larger package.

AAJ has a member working group that discusses ongoing legislative issues involving data security and privacy. For further information about legislation or to join our working group, please contact me at brian.mcmillan@justice.org.


Brian McMillan is AAJ’s federal relations counsel. He can be reached at brian.mcmillan@justice.org. To contact AAJ Public Affairs, email advocacy@justice.org.