by Divonne Smoyer, CIPP/US and Kimberly Chow, CIPP/US
Sean Reyes was appointed to the position of Utah Attorney General in 2013 and elected to a full term in November 2016. He is known as a bipartisan thought leader among attorneys general on the issues of privacy and cybersecurity. His name has notably been mentioned many times as a potential nominee for the Federal Trade Commission. Reyes serves on numerous committees for national attorneys general groups, including the Internet Safety/Cyber Privacy and Security Committee of the National Association of Attorneys General, and has been a charter member of the Conference of Western Attorneys General, which is focusing its 2018 Chair Initiative on data privacy, cybersecurity and digital piracy.
Reyes and his office are known to be sophisticated thinkers on issues pertinent to the IAPP, and as a leader among state attorneys general, he is attuned to what attorneys general across the country are thinking in a very dynamic environment.
Here, he talks to The Privacy Advisor about what we can expect in 2018 from him and other state attorneys general in the areas of privacy and data security.
The Privacy Advisor: Media commentators are increasingly noting that there are only two seated FTC commissioners out of five positions, and some have expressed concern that the agency’s enforcement authority may be hamstrung as a result. What is your reaction to claims that states are likely to fill the gap or take the lead on privacy to make up for this perceived enforcement gap?
Reyes: States have long been considered the laboratories of democracy and this has not been any different for the issue of privacy and data security policymaking. Regardless of the makeup of the set of FTC commissioners, the states will continue to take a leading role in the policymaking and enforcement of privacy and data security issues facing our nation. President Trump is working hard with his staff and members of Congress to fill these empty seats to ensure proper representation on the FTC. In the meantime, state attorneys general will continue to work with the Commission’s regulators to protect consumers, and to be leaders in protecting their constituents’ rights.
The Privacy Advisor: You are very active in leading state attorneys general on privacy and data security through your roles in national organizations. There have been a number of high-profile data breaches recently, including the Equifax breach. Massachusetts has responded to the Equifax incident by bringing suit against the company, while other states are participating in a multi-state investigation, testifying in Congress, and proposing legislation that will mandate that companies provide credit protections for individuals whose information is compromised. What do you think is in store over the next year for attorneys general responding to breaches, and what are the chances that legislation will be passed?
Reyes: Let me mention upfront that we work very collaboratively in a bipartisan manner with our Democrat attorneys general colleagues on a vast majority of law enforcement and consumer protection matters. As law enforcement leaders, we as state attorneys general continue to investigate and prosecute cybercriminals. I believe we will continue to see complex consumer protection issues involving data breaches in the next year as hackers evolve the way they operate and employ even newer and more destructive tools. I think the scale of the Equifax breach was another wakeup call for policymakers across the country as well as those of us in law enforcement that we must do more to ensure our consumers are protected. Several companies and various state and federal governmental entities which have previously experienced data breaches have agreed to provide free credit protections for those affected by their respective breaches. We are at a major crossroads when it comes to data protection and privacy. Quantum leaps in new technologies provide major security challenges. The constant threat of hackers and the number of Americans who have been affected by these data breaches creates challenges for policymakers and the tech community at large to ensure proper privacy protection while enabling innovation, research, and development to continue at the current pace. Legislative proposals will continue to be introduced and will pass increasingly as policymakers hear more from their constituents about their experiences with data security. These proposals hopefully will include the views of various stakeholders and privacy professionals.
The Privacy Advisor: In the wake of recent data breaches, certain cities and counties around the country have taken matters into their own hands to bring lawsuits against companies. Some of them have hired outside counsel. How do these local actions affect state attorneys generals’ work in privacy and data security, and can we expect attorneys general to use outside counsel to prosecute data breaches as well?
Reyes: Municipalities have been more active in bringing these actions as parallel proceedings to the work of state attorneys general. Ultimately, state attorneys general have more resources available to them internally during the investigation and prosecution processes. Sometimes outside counsel is necessary due to the level of expertise needed. However, I see most attorneys general handling these matters internally or as part of a multi-state investigation.
The Privacy Advisor: State attorneys general have been at the forefront of data breach response and policy for some time, but have been less involved with interpretations of and enforcement actions targeting unfair data use. Do you see that role evolving in the coming year?
Reyes: If there has been a perception in the past that attorneys general have not been aggressive regarding unfair data use, I think several of my colleagues and I have changed that narrative. We have worked together to investigate some very large players when it comes to how they use data. Primarily under our consumer protection or anti-competition teams, we want to target unauthorized or non-transparent use of information that can directly harm privacy interests of consumers or harm competition which can indirectly affect consumers and can devastate other market participants.
I do see attorneys general becoming even more proactive and involved in tech and data issues as a response to the growing challenges that confront us. Our world continues to become more and more interconnected and digital with every innovation, every new app, every evolution of smartphones, tablets, vehicles, drones, artificial intelligence, etc. The way personal data is tracked and used is a concern of ours. We need more and more conversations with the tech community on this front — it is why you are seeing conversations pop up like the one Attorney General Mark Brnovich is hosting in Arizona for CWAG and one I am hosting in August in California on behalf of the Rule of Law Defense Fund. It is also important for attorneys general and policymakers to do what I have done – tour tech businesses, sit down with general counsel, CEOs, innovators and policymakers and talk about the crossroads of regulation and innovation.
I often call innovators, inventors and entrepreneurs “Technology Prometheans,” in reference to the Titan Prometheus from Greek mythology. After warring with the gods, he is known for stealing fire from Mt. Olympus as a gift to mankind and was punished for it with eternal torture. While fire was a blessing in many ways and improved the quality of life for humans from cooking food to providing security and warmth, fire could also be destructive if not controlled properly. Modern innovation is the Promethean fire of our age. Every transformational technology that solves certain problems and makes our lives better introduces new problems that complicate or threaten our lives like never before.
A proper regulatory balance will cultivate the benefits of technology while trying to minimize abuse and keeping its destructive nature from being unleashed. As policymakers and enforcers, we are tantamount to the gods of mythology (in the allegorical sense only) and must be wary not to punish or overly hamper the Prometheans. I see both overregulation that stifles innovation and the failure to update anachronistic laws that cannot properly regulate today’s reality as serious threats and disincentives to future innovators from bringing tomorrow’s version of fire.
The Privacy Advisor: You are currently Chair of the RLDF, the policy arm of your caucus of Republican attorneys general. You are also heavily involved in CWAG and kicked off and moderated that organization’s recent Cyber Security and Technology Forum. What are your goals in creating a dialogue among attorneys general moving forward with the tech community?
Reyes: My career background is a little different from many of my colleagues. I was outside counsel for a decade and a half, in which time I represented tech companies and innovators, then I became general counsel for a tech company and then counsel for an entity that owned or invested in several tech businesses. So, I have been on the other side of regulators. And I have seen how hard most businesses try to be compliant and careful and consumer-friendly. For a few of my colleagues who haven’t owned, represented or invested in tech businesses, I hope to remind them that when businesses are successful, it does not mean they have necessarily cheated or done anything wrong. We need to focus our not unlimited regulatory resources on the truly bad actors and not inhibit the good actors from innovating. We should spend more time as regulatory leaders finding ways to recognize and reinforce good business practices and encourage good corporate citizens to continue building businesses and creating jobs.
Now, specifically to the privacy community, I would say the following: Dialogues between the tech industry, privacy professionals, and state attorneys general are critical to ensuring we do everything we can to protect corporate and consumer data to the best of our abilities, while also promoting a fair and predictable consumer protection process for corporations. We have already seen large-scale hacking attempts on corporations and the government, such as the Sony hack several years ago and the breach at the federal government’s Office of Personnel Management. As we discuss these issues, we can help implement the best security policies and guidance for corporations to protect the data they possess. The consumer protection process is an extremely important aspect of our jobs as state attorneys general. My office prosecutes cases referred to us by the Utah Division of Consumer Protection, putting my staff and me at the front lines of assisting those who have been wronged during a data breach. However, overly aggressive enforcement actions do not always provide restitution to those affected most by the breach, and provide a disincentive for businesses to invest in states that do not provide clarity and consistency in their consumer protection approach. This is not to say we are letting companies off easy, but companies should know what to expect when they receive a call from someone in the attorney general’s office. I hope more and more tech leaders will engage us and partake in this conversation.
The Privacy Advisor: The Supreme Court will hear United States v. Microsoft this term, a case concerning the U.S. Department of Justice’s ability to access emails stored on a Microsoft server in Dublin. You led a coalition of attorneys general in filing a friend of the court brief urging the court to clarify the scope of a private company’s ability to shield evidence of crime from law enforcement by electronically sending that evidence out of the jurisdiction. Your office also recently stated that you support a legislative proposal by Utah Senator Orrin Hatch that would update the Electronic Communications Privacy Act to establish a legal standard for accessing extraterritorial communications. Can you explain the importance of resolving this important policy matter and the position of the states in supporting federal legislation?
Reyes: Just to clarify, my office did initially join in an amicus brief with other attorneys general because we support law enforcement. I am a champion for law enforcement and want them to be able to do their jobs properly and obtain much-needed evidence to prosecute serious crimes. However, I believe there needs to be strong privacy protections for individuals, and businesses cannot be caught between conflicting international laws and obligations. As I personally researched more on this issue, I became convinced that Microsoft was in a no-win situation caught in the trap of an unworkable law that badly needed updating. For that reason, I have been working with Hatch’s office to, among other things, update the ECPA to find a balance in which the reasonable needs of law enforcement, the business community and consumers can all be satisfied.