The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone. The pendulum has swung in the opposite direction. Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as possible (sometimes even before they know whether a “breach” actually occurred). The immediate disclosure “instinct” companies are developing is, in part, due to the number of incidents being disclosed. There certainly seems to be safety in numbers—there were significant breaches disclosed in 2014 that received much less attention than they likely would have if they had been disclosed prior to December 2013. The continuous news cycle of incident reports has awakened the reactive cycle of new breach notification law proposals. The new proposals, like their predecessors that were not enacted, are not paired with any empirical data of why new or expanded laws are needed and they often borrow heavily from existing laws that have obvious flaws.
Industry groups and even companies that faced highly-publicized security incidents have joined the call for a national breach notification law. The lure of a national law is having one standard instead of 47 state laws and potentially overlapping federal laws and guidance for financial institutions and health care entities. In practice, the differences across state law rarely make a difference in how a company responds to an incident. Unauthorized acquisition of a file containing names and Social Security numbers by an attacker triggers a notification obligation in every state law. But as states have expanded the definition of “personal information”—with some now applying to maiden names, dates of birth, or credentials to access online accounts—the differences have continued to increase.
If a national law is enacted, below are practical issues companies face when they attempt to comply with breach notification laws that should be addressed.
- Owner/Licensor. Most state laws require the “owner” of the “personal information” that was stolen to notify the affected individual, while a “licensor” or “processor” of the data is required to notify the “owner” which in turn is required to notify the individuals. The dichotomy of “owners” versus “licensors” and “processors” does not neatly apply to how data is collected and used. Payment cards provide a good example. Banks that issue the cards often assert that they are the owner of the card data. When a card is swiped at a retailer, many retailers only use the data from the magnetic stripe to gain authorization for the transaction (and they do not store that data). If payment card data is stolen while it is being routed through the retailer’s system to its processor, it’s hard to view the retailer as the “owner.” If not, then is the retailer supposed to notify the issuing bank who would then notify the cardholder?
- Discovery. Existing laws require notification to occur within a certain amount of time after the incident is discovered. But when discovery occurs is not defined. If a laptop was stolen that was believed to have been encrypted but the company learns two weeks later that an error occurred and the laptop actually was not encrypted, is the date of the theft or the date that the company discovered that the laptop was not encrypted the discovery date?
- Notification Timing. If an incident requires a forensic investigation to determine whether a breach occurred and then the nature and extent of the breach, it is difficult for a company to complete such an investigation and then carry-out the steps necessary to mail letters to thousands or millions of individuals in less than 30 days. Setting a disclosure deadline any shorter than 30 days would likely encourage over-reporting, which would only further create “breach fatigue” and increase the likelihood that affected individuals will ignore notifications in scenarios where they really should take action.
- Method of Notification. Most scenarios require notification to occur by ordinary mail. Providing notice by mail may add five to ten days to the time it takes to provide notification. After a company builds a list of names and addresses, has the addresses run through the National Change of Address database, and provides a vendor with the letter versions and credit monitoring codes, it sometimes takes the vendor an additional three to five days before all of the letters are printed and mailed. Permitting notification to occur by e-mail or even text message, perhaps in conjunction with a notice posted on the company’s website, seems more likely to provide notification to individuals in a timely manner.
- Content Requirements. Some states just require notification, some states mandate that certain information be provided, and one state mandates that certain information not be provided.
- Risk of Harm. Some states permit a company to determine that notification is not required if their investigation leads them to reasonably believe that the incident will not result in harm to the affected individuals. In some states, companies can only rely on their determination that there is not a reasonable risk of harm if they provide their analysis to that state’s attorney general. Often, companies are unwilling to find out if the state attorney general will agree with their analysis, so they err on the side of caution and provide notification especially if only a small number of individuals are affected. Doing so, however, can establish a precedent that the company may not want if the same incident occurs in the future but a larger population is affected. There are scenarios where unauthorized access to personal information occurs, but it is clear that no harm will result. The classic scenario is the inadvertent e-mail.
The current version of the federal law proposed by President Obama does not address many of these issues.