Federal Breach Law? No Time Soon

Since California’s historic 2003 passage of a data breach law, most other states in the U.S. have followed suit. 44 states now have laws that lay out requirements for companies in the event that sensitive information is compromised. Despite the groundswell of interest in the issue on the state level, there is currently no similar federal law. Chris Wolf, a Washington, D.C.- based attorney with Proskauer Rose LLP and chair of its privacy and security practice group, spoke with CSO about how long it may be until we see one.

CSO: 44 states now have individual breach laws on the books, but we currently have no federal law. Will we see one soon?

Chris Wolf: I don’t think you will see a federal law come out of the next session of Congress. I would be very surprised of that happened given the nation’s current priorities and given the difficulties Congress has had considering bills for a federal breach law in the past. A lot of businesses want to have a very high threshold for notification that gives them a lot of discretion on when to notify. And many consumer groups think too much discretion will mean not enough notice is given to consumers. So you have that tension and this battle and, as a result, the issue is deadlocked.

Given the high-profile nature of a number of breaches, such as the TJX incident, aren’t people demanding a federal law?

Consumers are not left unprotected with the current state of affairs, and it takes the pressure off of Congress to create a legislative remedy. But it is very difficult to comply with this patchwork quilt of laws.

Because of the individual laws in so many states, people are being notified. Many of the laws require companies to comply with the law for each state in which a client resides. So, if a company has data on people from several states, there is going to be nationwide notice.

There are certain federal breach requirements for financial institutions that are under federal supervision. For instance: All banks, broker dealers, and other investment companies. So of they are federally regulated there is a notice requirement.

You mention how difficult it is for companies to comply with all of the state laws. Why is that?

Because the triggers for notification vary from state to state. And now even the content of letters that go out vary from state to state. If a company finds they have data that has been compromised on someone from Massachusetts and also someone from Maryland, they have to send out separate letters within different content. There is also issue of notifying the appropriate regulators because each state has laws of notification obligation with respect to regulators. It’s very complicated to navigate the maze.

One example of how unreasonable these laws can be is the 2007 case of CS Stars, a Chicago-based claims management company. In that instance, the New York attorney general said waiting 7 weeks to notify clients about a breach when a computer went missing was unreasonable and a fine was imposed.

In that case, the computer was recovered and a forensic investigation was done. It turns out no one ever accessed the computer. So there was really no harm and breach was remedied by the recovery of data. But this business was fined for what was perceived to be an excessive delay in notice.

Many of the state regulators that are focusing on this are focused on the chronological amount of time between breach and notice. I’m not sure they have sufficient amount of knowledge of what is involved when a company needs to get it arms around a breach. Before a company can notify, they need to find out who has been affected and what has been exposed. There has been a violent reaction by regulators to a perceived delay in notice when in fact the passage of time is totally understandable. It is better to have an accurate notice to people affected than to cry wolf.

That said, what would you advise companies when it comes to data breach?

Businesses need to be ready in advance of a breach to know what needs to be done. Who is going to be responsible? Who’s going to do what? This is necessary to avoid the regulator scrutiny that has occurred in past cases. If I were going to give one piece of advice to businesses it’s get ready in advance of a breach because it is more than likely going to happen to you.