A recent letter from a bipartisan group of 31 state attorneys general to the Federal Trade Commission (FTC) asks the agency to both continue and enhance its various identity theft rules. The group, led by attorneys general Ellen Rosenblum (D-OR) and Kevin Clarkson (R-AK), points to the challenges presented by emerging technologies being regulated by dated rules. While the concept of regulatory obsoleteness is not new, the speed at which new technologies now emerge means that rules can become dated quickly.
First, the letter requests that the FTC not repeal or otherwise “roll back” any existing rules, citing significant increases in attacks on consumer-facing websites and the posting of consumer personally identifiable information (PII) on websites, including on the “dark web.” Second, the letter requests that the FTC update its requirements to protect email addresses and other information in light of the reported availability of oft-used verification information, such as date of birth and the last four digits of a credit card number.
The letter also points out a fundamental inconsistency of position on preemption and the respective roles of federal and state prosecutors. On the one hand, the attorneys general want the FTC not to “roll back” the impact of its rules. On the other hand, the attorneys general make it quite clear that these rules are a floor, not a ceiling, for perhaps more strict state rules. By way of example, the attorneys general point to specific protections afforded by Oregon and Massachusetts law that exceed those under FTC rules, but suggest that the solution is for the FTC to enhance federal protections for consumers who reside in states where the legislature has made a determination not to provide such protections.
This letter is particularly significant because, at a time of increasing partisan polarization, the group of 31 attorneys general is markedly bipartisan. The attorneys general along with their partisan affiliations include California (D), Colorado (D), Connecticut (D), Delaware (D), District of Columbia (D), Hawaii (D), Illinois (D), Iowa (D), Kentucky (D), Maine (D), Maryland (D), Massachusetts (D), Michigan (D), Minnesota (D), Mississippi (D), Nebraska (R), Nevada (D), New Jersey (D), New Mexico (D), North Carolina (D), Oklahoma (R), Pennsylvania (D), Rhode Island (D), Tennessee (R), Utah (R), Vermont (D), Virginia (D), Washington (D), and Wisconsin (D).
The significance of this development is that privacy and accompanying identity theft issues are an area on which public officials can unite across party lines, so a message of this nature may have a greater than ordinary impact.