02 Apr Is It Time for a Federal Data Breach Notification Law?

Businesses and individuals affected by data security breaches often face a long and expensive battle to repair the damage. Given the increasing frequency and severity of data security breaches, it doesn’t look like this problem is going away anytime soon. Since it’s impossible to prevent every breach beforehand, protective measures must include ways to limit the damage afterward, such as providing prompt notice to those affected by a data security breach.

According to the National Conference of State Legislatures, forty-seven states have laws requiring private or government entities to notify individuals of security breaches involving their personally identifiable information. Though these laws may be similar, they are not the same. Currently, a multi-state business may be subject to various, possibly conflicting, notification requirements.

One way to eliminate the current patchwork of state notification laws is to enact a federal law that establishes a single notification standard that applies nationwide. Though a number of bills were introduced in Congress over the past few years, none became law. This year, however, may be different.

Earlier this year, President Obama put forth a new legislative proposal that will provide the certainty of a single, national standard. According to the White House, the Personal Data Notification & Protection Act of 2015 clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach.

Another bill, the Data Security and Breach Notification Act of 2015 (the “DSBN Act”), seems to be making more progress than in years past. According to the House of Representative’s Energy and Commerce Committee, data breaches are a growing problem. Though technology has empowered consumers, it has also empowered criminals who cost consumers tens of billions of dollars each year, impose all kinds of hassles and can create a long-lasting negative impact on their credit.

According to the Committee, the DSBN Act:

• Sets, for the first time, a national standard for reasonable security measures and practices to protect personal information.
• Defines personal information to include information tied to identity theft or payment fraud, such as Social Security numbers, financial account credentials and names coupled with drivers license or other government-issued identification numbers.
• Requires covered entities to conduct a good faith investigation after discovering a breach to determine if there is a reasonable risk of identity theft, economic loss or harm.
• Requires covered entities to notify consumers about a breach of personal information unless there is no reasonable risk of identity theft, economic loss or economic harm.
• Requires notification as expeditiously as possible and not later than 30 days after the covered entity has taken the necessary measures to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.

It’s too early to know whether this will be the year a federal data breach notification law is passed. If so, the final version will no doubt be different than current drafts. Nevertheless, the chances of passing such a law seem higher than before.

Until we find a better solution for dealing with data security, businesses should consider insurance to protect against cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with current data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

If you would like to learn more about insuring against cyber risks, contact us.

If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.

If you’d like to subscribe to our weekly newsletters please click here.