Currently, within the United States, there is no federal statute or legislation in place on how to address the increasingly common occurrence of data breaches among companies leaving the issues up for the 50 states to determine the best course of action when disclosing breaches. The lack of a national standard leaves wide room for differences on how to approach breaches along with the limitations for what constitutes an appropriate notification along with how large a breach has to be before the company is required to report. The best way to dive headfirst into breach reporting should be to take a look at California’s state reporting laws for what’s already in place. The time of reporting is listed as “The disclosure shall be made in the most expedient time possible”(1798.82) which leaves the window of reporting open to interpretation of the company as what requires a reasonable amount of time to assess the damages of the breach. However, this leniency could allow for the abuse and misrepresentation of how long it takes to assess a breach in order to delay notifying customers to continue operating without the bad publicity that comes from a breach of data. In order to stay as accountable as possible California law requires breach reporting to contain “a list of the types of personal information that were subject of a breach”(1798.82) showing exactly what has been breached and who was affected. The use of tracking all the data which was breached is an excellent accountability measure to ensure notification of all parties involved if the extent of the breach extends to multiple companies or thousands of customers. Sensitive personal data such as medical records along with social security numbers and other identifying information (security questions) has to be reported no matter how small the breach. The size and scale of the breach reporting under California law require either a written notice, electronic notice, or substitute notification to be delivered to all parties affected by the breach. The substitute notification only applies however if the breach is greater the 500,000 people or the cost of notification would exceed $250,000 with the substitute being an email notice, conspicuous posting, or major statewide media. The use of widespread substitute notification is almost nullified given the requirements being so high for the use which is an issue when wanting to be as transparent for consumers as possible. Shifting over to New York state law for breaches gives a more feasible solution to the limitations of California’s high requirement substitute notification “If more than 5,000 New York residents must be notified, breached entities must also notify consumer reporting agencies” (NYGBL 899-AA), allowing for a much lower threshold for higher impact reporting. The use of consumer reporting agencies is a huge leap in making sure companies are accountable for breaches that occur by opening the door for company ratings to be affected by the Better Business Bureau adding an additional incentive to improve security and stay within compliance.
What should be done:
The United States should implement a national standard for data breach reporting regardless of what type of field companies are operating under in regards to data on hand about consumers. A lot can be taken from the already preexisting laws in place within other states like California and New York which already have robust policies in place. The use of limited timeframes to report breaches would be a massive advantage to consumers who can make informed decisions with data while ensuring companies report in a timely manner. Making use of rating agencies like the BBB to reflect a companies commitment to data protection with multiple avenues of communication to consumers would allow for greater transparency and accountability when dealing with breaches. Being able to tell what data was affected and which is still secure is monumental in assessing where the breach occurred while allowing for those gaps to be patched and fixed.
Sources:
“Code Section.” Law Section, https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82.
“Data Breach Notification Laws by State.” IT Governance, https://www.itgovernanceusa.com/data-breach-notification-laws#NY.
By: Justin Sledesky
RIT Cyber Security Policy and Law Class Blog 