Hannah Cornett

Welcome to the third season of State AG Pulse. In this season, we’re selecting one story every week from the state AG news. Over the next ten minutes, we’ll take a quick dive into that story to analyze the impact of AGs as regulators and consumer protection guardians, and provide tips to help your business work successfully with state AGs.

Chris Allen

Hello and welcome or welcome back to State AG Pulse. I am Chris Allen, a partner in Cozen O’Connor’s state AG practice, and today I’m very excited to be joined by my colleague Hannah Cornett, an associate in our practice. Hi Hannah, how are you doing today?

Hannah Cornett

Doing well, Chris. How are you?

Chris Allen

Good, thank you. And today we are going to discuss something that demonstrates how extensive state AG authority is and how many different subjects they can touch with their various powers. Specifically, we’re going to be showing some extra love to Connecticut AG William Tong. If you listened, last week we featured a letter that William Tong led about the baseball antitrust exception, and today, just by coincidence, he had one of the more interesting letters this week, specifically a letter to the genetic testing company 23andMe. Hannah, can you tell us a little bit about what General Tong is doing this week?

Hannah Cornett

Sure, so AG Tong sent an inquiry letter to 23andMe about a data breach that the company reported in a press release on October 6th and AG Tong took issue with the fact that, one, 23andMe had not submitted a notification to the state AG yet, and two, there were some reports that the bad actor targeted specifically users of Ashkenazi Jewish descent or Chinese ancestry as well and AG Tong noted that that’s particularly problematic and troubling given the rise of anti-Semitic and anti-Asian rhetoric in recent years. In that letter, he noted his concerns and also pointed out that this calls into question 23andMe’s data security practices, and so he asked a series of questions for the company to respond to about the practices as well as the breach in general.

Chris Allen

Why Connecticut? Why are they sending this letter? Why do they care? What makes this especially sensitive?

Hannah Cornett

States have varied data breach notification requirements, and Connecticut is a state that requires notification within 60 days of discovery of the breach. And here AG Tong specifically calls out 23andMe for failing to notify the state AG’s office even though it appears that based on the timeline of the press release, that the company may still be within this 60 day margin.

Chris Allen

Connecticut is one of probably the four or five states that are leading in this area. Connecticut, just in general, punches above their weight class in the AG world, especially in antitrust and data privacy, data security. And so generally speaking, if you have a data breach, Connecticut, Maryland, Illinois, Oregon, maybe Washington state, you’re going to hear from those states because they really are leaders in this area.

I believe the Connecticut law says 60 days or without unreasonable delay. And I think that’s key here because first of all, you have, it appears to be, again, taking AG Tong’s letter at face value, specific ethnic groups were being targeted. And as we’ve discussed on prior episodes, AGs really, really care and take specific notice when particular groups are being singled out. Usually vulnerable groups, the elderly, minors, seniors, members of the military, ethnic groups, et cetera. I think this is also maybe slightly personal for General Tong because he takes great pride in the leadership he’s shown in the Asian community. I think he’s the first statewide elected official of Asian descent in the state of Connecticut, and so the fact that something is impacting citizens of Asian descent as well as Ashkenazi Jews, because we all know about all of the unfortunate and horrific things that are happening in Israel and Palestine these days, I think there’s extra sensitivity here that makes the “unreasonable delay” language a hook that he could hang a letter like this on.

Hannah Cornett

Yeah, that’s interesting. I’m interested to see how this plays out, whether we in the future are going to see a more comprehensive CID, whether other states jump on and are also going to be submitting letters to 23andMe.

Chris Allen

Yeah, that’s a great point about whether other states are going to move on this because again, taking AG Tong’s letter at face value, the potential data that was exposed includes name, sex, date of birth, geographic location, and genetic ancestry results. From a client services standpoint, we’re always thinking maybe we could clone our good associates, maybe we could clone Hannah Cornett like Gattaca, right?

Hannah Cornett

I mean, I fully support that. If somebody can take on the workload for me, I mean 100%, that’d be phenomenal.

Chris Allen

Your husband wouldn’t mind if we Gattaca’d you took the best components of you and made a Hannah bill a million hours a year?

Hannah Cornett

It’d be interesting. I wouldn’t mind a clone of him just help out cleaning around the house a little bit more. But yeah, no, that is interesting. This is very sensitive data here and even though we’re not quite there of where maybe people could use it as a way to build humans, it’s still, I think people are going to be a little on edge knowing that this might be out there with a bad actor.

Chris Allen

It’s just not like we can build people quite yet, but those others are traditional ID indicators that can be used to commit identity fraud, and we know that criminal organizations and nation states have been very aggressive in targeting companies. Not just companies, but all kinds of entities trying to hoover up as much data as they possibly can in order to build these databases that they can then sell on the black market or use for their own internal national security and intelligence purposes.

Hannah Cornett

I think that handing over genetic data in general is always going to be sensitive, so I am not entirely surprised that something like this would happen at some point.

Chris Allen

And you used to think it was just banks that were, or maybe hospitals, but companies…This used to just be about money, right? And now you have hackers, you have intelligence services. I know law firms have been targeted, hospitals have been targeted. And now to see a company like 23andMe, I mean if you really think about it, data security should have been on top of mind, but probably wasn’t really on top of their mind because who’s going to go after a genetic testing company? Well, guess what? If you are the easiest way to get somebody’s date of birth and name and geographic location, you get that information and you are a long way down to being able to commit identity theft. And so it’s just they’re working through the weakest links and AG offices I think are increasingly cognizant and leading in the area that it’s not just your financial information people are interested in. There’s a lot out there and some of it is in very vulnerable places.

Hannah Cornett

Yeah. I should also note that the inquiry letter flags that it looks like this could have been a credential stuffing incident where the bad actor was just going through recycled login information that users had, so maybe the user had the same password for 23andMe that they did for another site that was hacked. I suspect that the AG’s office is going to be looking to whether 23andMe had MFA in place, multi-factor authentication, just as a backup for this kind of thing.

But let’s talk about the notification in general. In your experience, how soon do you think it is that a company should notify an AG’s office about a breach? Obviously, the states have individual notification deadlines, but if you’re still investigating the breach, is it better to go ahead and report now and supplement later once the numbers are more finalized? Or do you think it’s better to maybe have a bit of a delay in it just to make sure that you’re confident in the numbers before submitting it?

Chris Allen

Every case is different. You’re always taking a lot into consideration. Did we really have an incident that was compromised, i.e., was the data accessed or was it exfiltrated? What kind of data did they get based on the databases? And a lot of this requires a lot of detailed forensic analysis, it gets very, very technical. My general opinion, and this comes not just in the data security context but just in the AG context, is you’re not going to hide from a state AG; you’re not going to be able to conceal. You might be able to push something off, but their powers under their consumer protection acts, under their data protection statutes, under their data breach notification statutes are just so broad. My advice to companies is if you think you have an issue, you should really be proactive in getting out there and communicating early and often with the AG’s offices, ‘cos these are the guys you’re going to be talking to.

And I get that you’re also probably going to be talking to the FBI or the DOJ, you’re going to be talking to your insurance companies, but the state AGs are the ones who really these days can bring enforcement actions, either seeking incredibly high penalties for failing to adhere to your data breach notification requirements, and also seeking to impose really significant conduct provisions through consent judgments or assurances of voluntary compliance that could cost companies, and I’m not exaggerating when I say billions of dollars over years. My advice to 23andMe in this case would’ve been if you thought this was a possibility, you should have engaged with the AG’s office as soon as possible. I don’t know if they didn’t do that, and maybe General Tong is just staking out, like “I’m concerned”, but a dialogue with a state AG specifically when you think you have had a data breach, especially impacting sensitive groups, should be a best practice.

Hannah Cornett

I also think it’s important to think about coordinating the AG notifications with the consumer notifications as well. Whether it’s individual notifications or a press announcement, I think that it’s better to get out ahead of it and establish some goodwill, and I think that can really help in the long run.

Chris Allen

It actually behooves anyone out there who touches any consumer data, which at this point is literally everybody, to have a playbook and to go find counsel if you don’t have the resources yourselves and actually make the investment in putting together a data incident playbook, which among other things, to your point, keeps current whatever the requirements are under the 51 state data breach notification laws in the country. General Tong, if you’re out there, I hope you’re feeling the love. We’re going to keep watching because some interesting stuff is coming out of your office. And Hannah, I can’t tell you how much I appreciate your insight in breaking this down for us. Was a great conversation.

Hannah Cornett

You’ve been listening to State AG Pulse, brought to you by Cozen O’Connor’s State AG Group and the State AG Report. Please leave us a five star rating and of course, tune in next week.