Legal Brief: Changing the Landscape of Data Breach Notification

Quantifying the goodwill your customers and clients have for your organization has always been a black art. But now data security-breach notification laws provide a way to assign it a value based on market research. Forty percent of retail customers say they would consider terminating a relationship with a company that suffered (or "permitted," depending on your perspective) a breach resulting in dissemination of personal data, according to the Ponemon Institute. Somewhat fewer actually do so (19 percent surveyed took their business elsewhere). But while talk may be cheap, data breaches are expensive. Multiply that loss of customers by the cost to attract new ones, and you'll have some idea of the breathtaking cost of a breach.

Data-breach laws are state-based, covering 35 states. But that could change with multiple federal data-breach bills in Congress, each of which would largely displace the state laws. Keeping abreast of these developments will help you proactively develop your compliance strategy. The changes required in IT systems to these shifting legal demands are the same as any other change request: often complicated and always costly if fast-tracked.

Last congressional session, a federal data-breach law was close to enactment, except that the late-term legislative process stalled in the face of competing bills. Most have been resurrected and are primed for action to combat the continual stream of massive breaches in the private and public sectors.

These federal bills differ from typical state laws. First, the triggering event is often different. Most federal proposals set forth a "material risk of harm" to a consumer that must be established, without which notification is not required. Only some state laws are so triggered. As important, some proposals call for stakeholders--the breached company, a consumer protection agency or law enforcement--to determine whether material risk exists. Naturally, each may answer differently.

Second, many proposals call for involvement of federal law enforcement. An aggressive bill sponsored by Sen. Leahy (D-VT) calls in the feds for a "serious breach," defined to include disclosure of more than 10,000 personally identifiable information records or disclosure involving a database with more than 1 million PII records.Third, about half of the bills also prohibit efforts to conceal a data breach, with civil fines of up to $50,000 per day and/or criminal sentences of up to five years in prison. Considering that many state laws provide little or no enforcement mechanisms, these sanctions would represent a major shift in data-breach policy. As with Sarbanes-Oxley, the theory is that decision-makers are forced to pay attention when faced with such stiff liability.

Fourth, the explicit "encryption exemption"--which exempts notification if breached data was encrypted--may disappear under federal policy. Presumably, the notion is addressed by the "material risk" standard mentioned above. Additionally, one bill attempts to close the "encryption strength loophole" and the "key management loophole" by removing the encryption exemption if the crypto system was, or appears to have been, compromised.

Finally, the notification requirements are more comprehensive than the state laws. One proposal calls for a five-tiered reporting method requiring sequential notification to the sector-specific federal agency, a law-enforcement agency, relevant financial institutions, credit reporting agencies and, finally, the consumers.

With conflicting proposals and committees squabbling over jurisdiction of data-breach laws, this congressional session could maintain the status quo. But a federal bill pre-empting most facets of the state laws is likely in the near term. Anyone maintaining PII should keep an eye on the process in order to stay ahead of the game.

Patrick R. Mueller, CISSP, is completing his law degree at the University of Wisconsin-Madison and will be joining the privacy compliance practice at Wildman Harrold Allen &Amp; Dixon, LLP, in Chicago. Write to him at [email protected]. 0