Q&A

Federal Breach Law? No Time Soon

Despite the confusing patchwork of today's data breach disclosure laws, attorney Chris Wolf says don't hold your breath for a federal version.

By Joan Goodchild, Senior Editor

Page 2

One example of how unreasonable these laws can be is the 2007 case of CS Stars, a Chicago-based claims management company. In that instance, the New York attorney general said waiting 7 weeks to notify clients about a breach when a computer went missing was unreasonable and a fine was imposed.

In that case, the computer was recovered and a forensic investigation was done. It turns out no one ever accessed the computer. So there was really no harm and breach was remedied by the recovery of data. But this business was fined for what was perceived to be an excessive delay in notice.

Many of the state regulators that are focusing on this are focused on the chronological amount of time between breach and notice. I'm not sure they have sufficient amount of knowledge of what is involved when a company needs to get it arms around a breach. Before a company can notify, they need to find out who has been affected and what has been exposed. There has been a violent reaction by regulators to a perceived delay in notice when in fact the passage of time is totally understandable. It is better to have an accurate notice to people affected than to cry wolf.

That said, what would you advise companies when it comes to data breach?
Businesses need to be ready in advance of a breach to know what needs to be done. Who is going to be responsible? Who's going to do what? This is necessary to avoid the regulator scrutiny that has occurred in past cases. If I were going to give one piece of advice to businesses it's get ready in advance of a breach because it is more than likely going to happen to you.