Data Breach Notifications Explained
What is the legal time passage following a data breach during which a business (like Target and Anthem) is required to notify customers and clients?
That’s a trick question, because companies aren’t even required to make these notifications AT ALL.
The Securities and Exchange Commission would like companies to send out the alerts in a timely fashion. And that’s it. No legal enforcement.
A Washingtonpost.com article explains that Congress is trying to come up with a federal standard for such alerts. One bill under consideration would require businesses to notify federal agencies of a breach and also alert consumers (when appropriate) of a breach that affects more than 5,000 people.
Wouldn’t it be great if there were some national standard of notification that spans every state, every business? This doesn’t appear to be on the horizon.
Every state has unique nuances to its laws. For instance, Iowa requires that companies recommend reporting ID theft to the police.
Most states, however, require nothing relative to a timeline of notifications. In fact, only several states require retailers reveal a breach within 45 days. In quite a few states, though, businesses do not have to disclose a breach as long as the data is encrypted—and the leak is absent the decryption key.
In short, there’s just a hodge-podge of laws and suggestions that differ from state to state, and some states don’t even have laws, like South Dakota and Alabama.
A strong federal law that sweeps across every state sounds like the solution, but lo and behold, it has skeptics. Some security experts warn that a federal law might cause businesses to become lax with their security. Passing new, more encompassing laws won’t make businesses less penetrable from hackers.
Security experts suggest that there be more information-sharing between businesses and the government. Another point is that companies need to pay more attention to detecting a data breach and responding to it—while it’s in progress (of course, preventing it would be a whole lot better).
An attempt at a one-size-fits-all law has its critics, but so does a multi-standard approach that may compromise a company’s ability to efficiently react to a data breach.