Data breach overload: Is it time for a new law?

June 16, 2011

Sony, Citigroup, Michael’s stores, Epsilon, Massachusetts unemployment recipients, Texas state retirees, etc., etc.  Data breaches this year have affected hundreds of millions of accounts of all stripes and it might just be time for a new law.

OK, new law haters, there’s some rationale here. Wildly inconsistent reporting by companies (and government agencies) has left consumers ignorant of their status as victims. And wildly inconsistent levels of security of personal data has caused some companies to give up their customer records to thieves by the million.

Data breach news tends to trickle out and usually those affected find out quite some time after their information has been sent to parts unknown. Citigroup, the most recent target to announce a breach, revealed the information weeks later and just said that the total number of accounts affected is more than it had previously estimated.

In most of the recent thefts, the data taken would most likely leave consumers vulnerable to targeting phishing attacks and other scams built around the knowledge the crooks have: your name, who you do business with, where you live and how to get in touch. (Here’s a guide to protecting yourself from these attacks.)

A Federal Trade Commission official told Congress this week that it’s not only time for a data breach notification law — several bills addressing the breaches are in play — but that it needs to have sufficient teeth to force companies to comply.

“If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace,” FTC Commissioner Edith Ramirez told the House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing, and Trade.

Attorney Lisa Sotto of the Hunton & Williams firm, advises companies on how to handle breaches and navigate the laws about reporting them that vary by state. Some states, she said, say the company should notify consumers as quickly as they are able to (some aren’t that able) and other states require the news be shared within 45 days. (Congress is considering a 60-day limit.)

As their legal adviser, Sotto said she doesn’t think just sharing that a breach happened is always the best idea.

“There’s a very fine line between notifying quickly and notifying well,” she said. “To the extent that you go out to the public without knowing as much as possible about event. You should have a decent understanding before notifying. While it’s important to go quickly, we don’t want to go out to more people than we have to and we don’t want out give out incorrect information.”

At the same time Ramirez was testifying, the FTC announced settlements closing out two data security cases:

  • HR and payroll company Ceridian Corp., which was accused of failing to protect payroll data of 28,000 of its small business customers
  • Immigration service firm Lookout Services, Inc., which was accused of failing to protect its customers’ Social Security, passport and military identification numbers.

Both firms agreed to have independent audits of their data security every other year for 20 years.

Post Your Comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/