It took Target a week to tell customers about a massive data breach that had compromised the privacy of millions of shoppers during the holiday season. Neiman Marcus waited 10 days to tell customers after confirming last month that it had been victim to a similar attack.
The delays angered consumer advocates, but were not unusual. When companies must notify consumers of breaches, how they notify them and how much they disclose is governed by a dizzying mosaic of state laws.
The Securities and Exchange Commission has said public companies hit with breaches should inform consumers in a timely manner — as long as doing so doesn’t interfere with law enforcement investigations. But there is no national law that compels retailers or any firm to disclose a data breach.
With law enforcement warning retailers that more attacks are likely to come soon, there is a growing push in Congress to develop a federal standard of how companies should handle breaches.
“Today, consumers across the country aren’t uniformly protected. Rather, they’re subject to a patchwork of state rules and guidelines that are not effective enough in today’s national economy,” said Sen. Tom Carper (D-Del.), who has co-sponsored a bill with Sen. Roy Blunt (R-Mo.) to provide a comprehensive national framework.
The bill would require companies to safeguard their data, assess what harm a breach may do, notify appropriate federal agencies of breaches and, when appropriate, notify consumers of all breaches that affect more than 5,000 customers.
It’s just one of several competing bills that have been introduced this session, inspired by the recent retail hacks.
The retail industry supports developing a national standard — though it hasn’t endorsed a single bill — saying that a national standard would greatly simplify procedures in case of a breach. Right now, companies must deal with a patchwork of laws in 46 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands.
Each state’s law has its own idiosyncracies. For example, Maryland requires that a retailer list the contact information of the state attorney general when there is a breach of personal information. Massachusetts residents must be told they can get a police report if they’re a victim of ID theft. Iowa requires businesses to suggest reporting suspected ID theft to law enforcement; Oregon mandates companies they also be told to contact the Federal Trade Commission.
Few laws address specific timing. A handful of states say that retailers have 45 days to disclose a breach, though there are separate and more stringent rules for breaches of more sensitive information such as health data. In many states, including Virginia, companies are exempted from reporting breaches if their data are encrypted and the leak did not include the decryption key.
“It is an analytical feat to comply with all of them,” said Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP.
Having so many laws also means consumers can fall through the cracks, consumer advocates said.
“It’s a national issue and it demands a federal response,” said Delara Derahkshani, policy counsel for Consumers Union. A strong federal law would provide much-needed protection to consumers, she said — particularly in Alabama, Kentucky, New Mexico and South Dakota, which have no such laws.
Still, some security experts caution that a federal law would only solve part of the problem — and potentially give companies a way to ignore the problems with their security standards.
“The hackers and technology are going to move faster than any kind of standards that any well-intentioned, well-meaning bureaucrat can put together,” said Tom Ridge, former secretary of the U.S. Department of Homeland Security. “That may make you feel good, but I dare say it won’t go very far in making that company or your country more secure from cyberattacks.”
Ridge, who has founded a security consulting firm with former presidential cybersecurity advisor Howard Schmidt, said deeper issues are at stake. Competing companies and the government must share more information on emerging threats to detect attacks earlier, he said. And companies, he added, must also invest time and effort into detecting and reacting to attacks as they happen.
Carper (D-Del.), in a statement, said that his bill to institute a national notification law isn’t supposed to be a one-size-fits all solution, but provides a much-needed backdrop on which others may build.
“It requires that these policies and procedures are appropriate to the sensitivity of the information the entity is collecting, as well as the size and complexity of the entity itself,” Carper said in a statement to The Washington Post.
But security experts worry too many standards could force companies to issue hurried disclosures before fully understanding the scope and impact of a breach.
“We used to be able to have time to do an investigation before we ran out and scared millions of people,” said Sotto.
With the numbers of cyberattacks on the rise and gaining wider attention, it’s become clear that even in the absence of a law, businesses must act more quickly to placate angry customers, consumer advocates said.
“Folks aren’t going to use technology, or engage in commerce if they can’t put their trust in it,” Derahkshani said. “It’s in everyone’s best interest for this problem to be addressed.”