More than 1,300 data breaches were reported last year at companies around the world, according to the 2014 Data Breach Investigations Report from Verizon. A breach was defined as “an incident that results in the disclosure or potential exposure of data.” Other studies identified significantly more than 1,300. Either way, the number of unreported breaches likely dwarfs the number of reported breaches.
Companies are obligated to report such data breaches to affected parties as well as to regulatory agencies under most state laws. Since California became the first state to enact a data breach notification law in 2002, 46 other states have followed suit with Kentucky becoming the most recent when it approved a data breach notification law in April of this year. Only three states–New Mexico, South Dakota, and Alabama–do not have such a law. The New Mexico House of Representatives unanimously passed a data breach bill in February. However, the state’s Senate failed to act on the bill.
According to Judith Germano, a senior fellow at the NYU School of Law, Center on Law and Security, and a founding partner at GermanoLawLLC, state data breach notification laws are safeguards for customers whose data may have been compromised. “The focus is on providing consumers and other affected parties with information in the event of a data breach, to let them know in a timely manner so that they can take action, whether it’s by changing PIN numbers or checking credit reports, or otherwise protecting their personal information,” she tells Security Management.
In addition to damaging a brand’s reputation, the legal consequences of failing to comply with data breach notifications are daunting. “There’s also a host of wide-ranging litigation that companies can face….and then they also have to prepare for…liability brought by regulators as well as civil litigants,” she notes.
The patchwork of state legislation, along with varying industry standards and requirements, poses a challenge for companies that operate in multiple jurisdictions. “That is the challenge with not having a federally mandated breach notification,” says Chad McManamy, assistant general counsel at Guidance Software. “There isn’t that consistency. Most breached companies are dealing with individuals across state lines, it’s not like they’re going to be limited to one particular jurisdiction. So they’re going to have to weigh and balance the notification laws of individual states.”
Experts point to the Target security breach in December 2013 as a recent example of the difficulties organizations face in the absence of a federal law. “It’s difficult for companies like Target who face big data breaches to comply right now because there’s not one single uniform standard they can look to for clear direction,” says Todd Hinnen, partner with the privacy and security practice at Perkins Coie law firm and former head of the national security division at the Department of Justice. “They have to try and interpret the standards of 47 different states, which vary with respect to what triggers them, and what kind of information is protected….”
Currently no federal framework for national data breach notification legislation is poised to become law. Several bills have been introduced in Congress in the past that include federal data breach notification requirements, such as the Data Accountability and Trust Act, and Personal Data Protection and Breach Accountability Act, both introduced in early 2014. (Neither of the two bills has been considered since their introduction.)