WASHINGTON — It took Target a week to tell customers about a massive data breach that compromised the privacy of millions of shoppers during the holiday season. Neiman Marcus waited 10 days to tell customers after confirming last month that it had been victim to a similar attack.
The delays have angered consumer advocates, but they are not unusual. When companies must notify consumers of breaches, how they notify them and how much they disclose is governed by a dizzying mosaic of state laws.
The Securities and Exchange Commission has said that companies should inform consumers in a timely manner — as long as doing so doesn’t interfere with law enforcement investigations. But there is no national law that compels retailers or any firm to disclose a data breach.
With law enforcement warning retailers that more attacks are likely to happen again soon, there is a push in Congress to develop a federal standard of how companies should handle breaches.
“Today, consumers across the country aren’t uniformly protected, rather they’re subject to a patchwork of state rules and guidelines that are not effective enough in today’s national economy,” said Sen. Tom Carper, D-Del., who has co-sponsored a bill with Sen. Roy Blunt, R-Mo., to provide a comprehensive national framework.
The bill would require companies to safeguard their data, assess what harm a breach might do, notify federal agencies and, when appropriate, notify consumers of attacks that affect more than 5,000 customers.
It’s just one of several competing bills that have been introduced this session, inspired by the recent retail hacks.
The retail industry, which hasn’t endorsed a bill, said that it supports a national standard because it would simplify procedures in case of a breach. Companies must now deal with a patchwork of laws in 46 states and the District of Columbia, Guam, Puerto Rico and the Virgin Islands.
Maryland, for example, requires retailers to list the contact information of the state attorney general when there is a breach of personal information. Massachusetts residents must be informed that they can get a police report if they’re a victim of identity theft. Iowa requires businesses to suggest reporting suspected identity theft to law enforcement. Oregon mandates that companies be told to contact the Federal Trade Commission.
Few laws address specific timing. A handful of states say that retailers have 45 days to disclose a breach, though there are separate and more stringent rules for breaches of more sensitive information such as health data. In many states, companies are exempted from reporting breaches if their data are encrypted and the leak did not include the decryption key.
“It is an analytical feat to comply” with all the laws, said Lisa Sotto, partner and head of the global privacy and cybersecurity practice at Hunton & Williams.
Having so many laws also means that customers can fall through the cracks, consumer advocates said.
“It’s a national issue, and it demands a federal response,” said Delara Derahkshani, policy counsel for Consumers Union, the policy and action division of Consumer Reports.
Send questions/comments to the editors.
Comments are no longer available on this story