Yesterday, in his weekly video address, Attorney General Eric Holder urged Congress to create a national data breach notification standard requiring companies to quickly notify consumers of a breach of their personal or financial information. In the wake of the high profile holiday season data breaches at retailers Target and Neiman Marcus, Holder stated that the Department of Justice and the U.S. Secret Service continue to work to investigate hacking and cybercrimes. However, Holder believes that Congress should act to establish a federal notification requirement to protect consumers. Holder’s video address is available here .
Currently, at least forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. As might be expected, the laws vary widely from state to state, particularly in the timing requirement for the breach notifications. Most laws allow delay to accommodate a law enforcement investigation.
Some states require notification as soon as reasonably practicable. Others require notification within 45 days. Yet organizations have faced lawsuits for failing to notify on a timely basis, even where there is no set standard. This presents a difficult situation for companies. Organizations need to investigate a data breach and determine the type of information affected, who was affected (and thus needs to be notified), and importantly, whether the breach is ongoing such that the company must immediately implement remedial measures.
Attorney General Holder believes Congress should set a national standard that will better protect consumers. Holder asserts that a federal requirement should enable law enforcement to investigate the data breaches quickly and to hold organizations accountable when they fail to protect personal and financial information. Holder’s video message did include a reference that this requirement should create “reasonable exemptions” for companies to avoid creating unnecessary burdens.
The Target and Neiman Marcus data breaches have certainly raised the profile of cybersecurity issues on Capitol Hill, with several bills having been introduced in recent weeks addressing data breaches. While the states certainly took the lead in protecting consumers by enacting data breach laws over the past several years, a properly-crafted national standard could provide more consistent guidance for industry and a uniform rule for consumers irrespective of their home states. Should Congress move forward on a data breach law, reasonable accommodations need to be made for companies to have time to investigate data breaches, to determine scope, persons affected, and the type of information affected. A national standard setting forth a notification deadline would also presumably alleviate the “rush to the courthouse” from the plaintiff’s bar with data breach notification timing allegations.