Press "Enter" to skip to content

AG Koster urges Congress to preserve state’s authority to enforce data breach and data security laws



–joins multistate letter against federal preemption of states’ ability to legislate and enforce data breach laws —


Jefferson City, Mo. – Attorney General Chris Koster today joined 46 other attorneys general in sending a letter to the United States Congress emphasizing the importance of maintaining states’ authority to enforce data breach and data security laws, and their ability to enact laws to address future data security risks.


Citing recent efforts in Congress to pass a national law on data breach notification and data security, the attorneys general caution against federal preemption of state laws and argue that any federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.


“States are on the frontlines in communicating with consumers,” Koster said.  “While the federal government plays a critical role in investigating data breaches, the states are important partners and must maintain authority to investigate breaches to best protect consumers.”


The letter points out a number of concerns with federal preemption of state data breach and security laws, including:


  • Data breaches and identity theft continue to cause significant harm to consumers. Since 2005, nearly 5,000 data breaches nationally have impacted more than 815 million records containing sensitive information about consumers – primarily financial account information, Social Security numbers or medical information.  Identity theft involving the use of a Social Security number can cost a consumer $5,100 on average.


  • Data security vulnerabilities are too common. States frequently encounter data breach incidents resulting from the failure by data collectors to reasonably protect the sensitive data entrusted to them by consumers, putting consumers’ personal information at unnecessary risk.  Many of these breaches could have been prevented if the data collector had taken reasonable steps to secure consumers’ data.


  • States play an important role responding to data breaches and identity theft.  The States have been at the frontlines in helping consumers deal with the repercussions of a data breach, providing important assistance to victims of  identity theft or fraud, and investigating whether the data collector used reasonable data security. Forty-seven states now have laws requiring data collectors to notify consumers when their personal information has been compromised by a data breach.


The letter urges Congress to preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.


Koster recently released a new Identity Theft Resource Guide that provides steps consumers can take to help protect their identity and what consumers should do if their identity is stolen.  The guide can be viewed on the Attorney General’s website at or can be ordered here.