NY AG Schneiderman Quits: What's Next for Enforcement?Observers Size Up Future of Data Breach, Privacy and Fraud Cases
New York State Attorney General Eric Schneiderman, who resigned Monday in the midst of an alleged personal scandal, was known for being one of the nation's toughest state enforcers in cases involving data breaches, privacy issues and fraud.
So, what happens next?
To fill the void left by Schneiderman's departure, Barbara Underwood, who has been New York's solicitor general since January 2007, was named Tuesday as acting attorney general.
"Our office has never been stronger, and this extraordinarily talented, dedicated and tireless team of public servants will ensure that our work continues without interruption," Underwood said in a statement on Tuesday.
But when it comes to cases involving privacy, breaches and fraud, Underwood, or her successor to be elected in the fall, will have a tough act to follow.
"Former Attorney General Schneiderman was among a few state attorneys general who sought to investigate and hold companies to account when evidence showed that an organization's failure to have adequate information privacy or security safeguards directly caused a breach," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek. "The NY AG office has teams of experienced, seasoned investigators and attorneys empowered to pursue investigations against companies doing business in New York state."
Schneiderman abruptly resigned on Monday following allegations that he had physically abused several women. He denies the allegations.
"It is too early to tell what the priorities of the next attorney general will be," Holtzman says. "Schneiderman's resignation sets off a free-for-all among potential candidates for the November election."
Schneiderman's Track Record
During his eight years in the state AG position, Schneiderman pursued cases ranging from a multistate corruption investigation into Volkswagen for their auto-emissions cheating scandal to a recent consumer fraud lawsuit on behalf of all Spectrum-Time Warner Cable subscribers after a year-long investigation by his office found the company had deceived consumers about internet speeds and reliability.
In April, his office also announced it had launched inquiries into 13 cryptocurrency exchanges "requesting key information on their operations, internal controls and safeguards to protect customer assets."
Last year, Schneiderman's office smacked three mobile health app developers with enforcement actions that required each company "to amend deceptive statements about their apps and modify their privacy policies to better protect consumers." (See NY Deals with App Vendors Could Fuel More Privacy Actions).
In addition to breach-related enforcement in the healthcare sector, Schneiderman's office also reached settlements with companies, including Hilton, in other sectors.
Schneiderman last year also proposed a bill being considered by the state legislature - the Stop Hacks and Improve Electronic Data Security Act - that would update New York's data security law in the wake of the massive Equifax breach.
"The New York AG's office had been a reasonably aggressive force in bringing various kinds of privacy cases, both in areas where there are other regulators - like HIPAA - and in setting policy in situations where the HIPAA rules -or other privacy rules - may not apply," notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
What's on the Horizon?
But what will happen in New York state's AG office moving forward?
"While those cases are obviously not only the responsibility of the top person, there clearly has been an agenda set by the AG over the past couple of years," Nahra says. "Whether that focus will continue will depend primarily on the new person. It certainly has been useful in the overall privacy debate to have this additional enforcement agency involved in some of these big picture issues, particularly in filling in some regulatory gaps."
New York isn't the only state with an attorney general's office that's been aggressive with breach-related enforcement.
For instance, New Jersey Attorney General Gurbir Grewal recently smacked a health practice, Virtua Medical Group - with a $418,000 fine for a 2016 breach.
Also, on Monday, Grewal announced the creation of a new enforcement unit, the Data Privacy & Cybersecurity Section, within the office.
Holtzman says it's difficult to measure the impact of an attorney general on the enforcement activity in their state.
"For example, California's attorney general has followed a tradition of vigorous enforcement of state information privacy laws enacted to require organizations that hold personally identifiable information to have appropriate safeguards and notify individuals promptly when there has been an unauthorized disclosure," he notes.
"In other cases that involve breaches that impact the citizens of a number of states, attorneys generals will band together to pursue remedies for the benefit of their state's citizens."
"There is always some concern with the broad range of authority for AGs that they would exercise their authority in a less informed way than the more focused federal regulators."
—Attorney Kirk Nahra
But there are pros and cons to state AGs pursuing certain security and privacy related cases, Nahra says.
"There is always some concern with the broad range of authority for AGs that they would exercise their authority in a less informed way than the more focused federal regulators," he says. "For example, it is not certain that the [U.S. Department of Health and Human Services' Office for Civil Rights] would have handled the NY AG's HIPAA cases the same way. But the enforcement [in New York] so far, while more frequent than in other states, has generally seemed reasonable."
Nahra expects many state AGs will become more active over the next few years on privacy and data breach issues.
Acting New York AG Underwood previously served as counsel and as chief assistant to the U.S. Attorney for the Eastern District of New York. From 1998 to 2001, she was the acting U.S. solicitor general and principal deputy solicitor general of the U.S.
The New York state AG office did not immediately respond to an Information Security Media Group request for comment.