From a News Release by WV Attorney General Patrick Morrisey
CHARLESTON, W.Va. – Attorney General Patrick Morrisey  announced he has joined a bipartisan, multi-state effort to urge federal lawmakers against pre-empting state laws designed to protect consumers affected by data breaches and identity theft.

Attorney General Morrisey joined 46 other Attorneys General in a letter to the U.S. Congress emphasizing the importance of maintaining states’ authority to enforce data breach and data security laws, and their ability to enact laws to address future data security risks.
Citing recent Congressional efforts to pass a national law on data breach notification and data security, Attorney General Morrisey and the other Attorneys General cautioned lawmakers against federal pre-emption of state data breach and security law. The letter argues that any federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft, especially in states whose laws provide greater protections than federal counterparts.
“Protecting consumers is a top priority for my Office, and I want to make sure the federal government doesn't stand in the way of that,” Attorney General Patrick Morrisey said.  “Data breaches and identity theft pose significant and increasing threats to consumers, and while these federal proposals may be well-intentioned, they stand to hinder our local efforts to combat and warn consumers of these threats.”
The letter points out a number of concerns with federal pre-emption of state data breach and security laws, including: The letter urges Congress to preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws. 
“Our state has taken a proactive approach to require companies to alert West Virginia residents whenever their personal data has been compromised,” Attorney General Morrisey said. “Our laws also give my Office the ability to pursue civil actions against companies that fail to adequately respond to these breaches. I would hate to see these reasonable protections usurped by new, overly broad federal legislation.”
In 2005, 44 state attorneys general wrote a similar letter to Congress calling for a national law on breach notification that did not pre-empt state enforcement or state law.
Today’s letter, co-sponsored by Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.
A copy of the letter can be viewed here: