Skip to content
Main Menu
Utah Attorney General
Attorney General
Sean D. Reyes
Utah Office of the Attorney General
Secondary Navigation

Reyes and 46 Attorneys General Urge Congress to Preserve State Authority Over Data Breach and Data Security Laws

SALT LAKE CITY  – Utah Attorney General Sean Reyes joined 46 other attorneys general urging Congress to maintain states’ authority to enforce data breach and data security laws – and preserve their ability to enact laws to address future data security risks. Citing recent efforts in Congress to pass a national law on data breach notification and data security, Attorney General Reyes and the other attorneys general sent a letter to Congress cautioning against federal preemption of state data breach and security law. They argued that any federal law must not diminish the important role states already play protecting consumers in this area.

In the letter, Reyes and the other attorneys general point out a number of concerns with federal preemption of state data breach and security laws, including:

  • Data breaches and identity theft continue to cause significant harm to consumers.  Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers – primarily financial account information, Social Security numbers or medical information.  Full-blown identity theft involving the use of a Social Security number can cost a consumer $5,100 on average.
  • States play an important role responding to data breaches and identity theft.  The states have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing important assistance to consumers who have been impacted by data breaches or who suffer identity theft or fraud as a result, and investigating the causes of data breaches to determine whether the data collector experiencing the breach had reasonable data security in place.
  • Data security vulnerabilities are too common.  States frequently encounter circumstances where data breach incidents result from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers’ personal information at unnecessary risk.  Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.

The attorneys general urged Congress to preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.

The letter was co-sponsored by Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia. 

In February 2015, Attorney General Reyes launched a new ID Theft Central ( website for public use to report, repair and find resources to combat identity theft.  On the website Utah consumers can conveniently report identity theft as well as enroll their children in a free Child Identity Protection program. They can also learn methods to protect themselves against identity theft, learn about Utah identity theft laws, become informed about the latest scams, and locate on a map where identity theft happens in Utah.