Posted: Robert Siciliano|July 7th, 2017


Data Breach Notifications Explained


Facebook Tweet mail
blog post author image
Written by Robert Siciliano
Follow Robert Siciliano on Google+


What is the legal time passage following a data breach during which a business (like Target and Anthem) is required to notify customers and clients?

That's a trick question, because companies aren't even required to make these notifications AT ALL.

The Securities and Exchange Commission would like companies to send out the alerts in a timely fashion. And that's it. No legal enforcement.

A article explains that Congress is trying to come up with a federal standard for such alerts. One bill under consideration would require businesses to notify federal agencies of a breach and also alert consumers (when appropriate) of a breach that affects more than 5,000 people.

Wouldn't it be great if there were some national standard of notification that spans every state, every business? This doesn't appear to be on the horizon.

Every state has unique nuances to its laws. For instance, Iowa requires that companies recommend reporting ID theft to the police.

Most states, however, require nothing relative to a timeline of notifications. In fact, only several states require retailers reveal a breach within 45 days. In quite a few states, though, businesses do not have to disclose a breach as long as the data is encrypted-and the leak is absent the decryption key.

In short, there's just a hodge-podge of laws and suggestions that differ from state to state, and some states don't even have laws, like South Dakota and Alabama.

A strong federal law that sweeps across every state sounds like the solution, but lo and behold, it has skeptics. Some security experts warn that a federal law might cause businesses to become lax with their security. Passing new, more encompassing laws won't make businesses less penetrable from hackers.

Security experts suggest that there be more information-sharing between businesses and the government. Another point is that companies need to pay more attention to detecting a data breach and responding to it-while it's in progress (of course, preventing it would be a whole lot better).

An attempt at a one-size-fits-all law has its critics, but so does a multi-standard approach that may compromise a company's ability to efficiently react to a data breach.

Robert Siciliano is an identity theft expert to discussing  identity theft prevention.

Compare the top ranked companies

Find the right company for you.

AVG image #1
McAfee image #2
Norton by Symantec image #3
Intrusta image #4
BullGuard image #5
VIPRE image #6 View

Related Articles

Card image cap
6 Ways to Stay Safe Online

In the last several years cyber security has become a major issue, not only for major stores like Home Depot, Target, a...

Read More
Card image cap
Never Put These Docs in Your Wallet

Yes, believe it or not, you CAN get by in life with a wallet that just has a little cash, a store card or two, one to tw...

Read More
Card image cap
Google Alert Scams

If you want to know the latest on "any topic," just sign up for Google Alerts. Google will e-mail you notifications of n...

Read More