Data Breach Notification Laws: Is it Time for a Uniform Standard?

State data breach notification laws had two primary aims in mind. The first was to potentially embarrass organizations to improve their data security by forcing them to disclose certain data breaches publicly. The second was to help consumers have a fighting chance against identity theft by arming them with the information they needed to adequately respond to a data breach and protect their accounts and identities from theft.

As we covered in “Changes to Data Breach Notifications in the Air,” since the first data breach law went into effect in 2003, there has been controversy surrounding what types of data being exposed should trigger data breach notifications, who should be notified and how quickly they should be notified.

While it’s been more than 15 years since California set a precedent, these laws have proliferated around the world, and in the United States. They have been becoming more prescriptive about the type of data that must trigger a notification and the time frames in which notification must be done.

Today, just about every state has created its version of the data breach notification law, which some contend has created a hodgepodge of state laws that all organizations that hold data must comply with. This is why there have been calls for a uniform federal data breach law by such groups as the National Retail Federation and the Financial Services Roundtable. Security firm Digital Guardian created a detailed data-breach disclosure law infographic that is available here.

Would a standard federal data breach disclosure law be beneficial? The idea garners mixed reaction among security experts.

“A national data breach disclosure law is a great idea. Since state compliance isn’t standard, and corporations’ home states can vary from their data center locations altering reporting requirements, consumers deserve a uniform notice of what happened, when, where and how,” said Paul McGough, founder and CTO of Qwyit. “Not only will this facilitate law enforcement by creating a true, shared database of activity, it also will raise the bar on arriving at strong, uniform cybersecurity protection methods. Consumers, companies, enforcement and protection all benefit. There is no drawback to awareness and enlightenment.”

Jake Kouns, CISO at Risk Based Security, said a national breach law on the surface seems positive, but he has some concerns. “There are currently several states including Massachusetts, California and even Florida that have laws in place that are quite strong for requiring notification for any residents that are impacted by a data breach, but also requirements for businesses to have a solid information security program in place,” Kouns said. “The main concern is that if a federal law replaces the current state legislation, then instead of picking the most strict law to protect U.S. residents, it would default to the least amount of notification and security requirements available and reduce some of the great works that are currently in place.”

Many of experts are also mixed. “I believe that there are two parts to your questions one is procedural, and the other is substantive,” said Benjamin Dynkin, a cybersecurity attorney in New York. “As a matter of procedure, the national data breach notification law is certainly good. It will provide uniformity, predictability and ease of compliance. Rather having to comply with any number of existing laws, a company will only need to focus on a single standard for compliance.

“The second piece is a substantive question,” he continued. “A national data breach notification law will require setting a national threshold for data breach notification. Depending on what standard is chosen, it will either be stricter than many existing laws or looser than many existing laws. This will not be a huge issue for large entities, but for small and mid-sized businesses (if the law is stricter) it can pose meaningful challenges for compliance. Additionally, if the law is looser than existing standards consumers may feel that their particular interests are not being sufficiently cared for.

“The issue can best be summed up by the late Justice Brandeis, who observed that the states are the laboratory for democracy,” he said. “They have the flexibility to try different schemas, and to evolve standards based on their citizens, whereas federal standards have little ability to be tailored to smaller groups and have minimal flexibility in execution. While data breaches are fast becoming commonplace, they are still very new, and further experimentation may be beneficial at the state level, even though national standards would ease compliance.”

With the difficulty for the federal government to move much cybersecurity legislation forward, that may remain the status quo for some time.

George V. Hulme