The MCLB has touched on responding to data breaches before. In that entry, we noted in passing that “the laws governing corporate responses to various forms of data breaches are extensive[.]” That was an understatement. In fact, nearly every state has its own statute on point, and each of them imposes different obligations and penalties. So, if you do business nationwide and you are the victim of a data breach, the laws of 47 jurisdictions are there to add insult to injury.
This patchwork of laws, of course, is a pain to comply with. That’s why it is so pleasing to see that federal legislators are looking at imposing a new law on point. Now, that article is filled with skepticism that any such law will pass – and rightfully so – but let’s assume for the moment that one will. What should it include? Here are some highlights.
Federal preemption is a must. As Representative Lee Terry succinctly stated, “There are 47 state standards. There’s no reason to add a 48th.” State attorneys general disagree, but mostly because they don’t trust Congress to do a good job drafting the law. It’s hard not to be concerned about that possibility, but since there’s no point in passing a bad law (like most of the state laws dealing with breaches), let’s assume that Congress won’t.
Next, the law must clearly define what a data breach is. This is one area where Missouri and a handful of other states have done a pretty good job by focusing not on the means of intrusion, but rather on the data obtained. This is the right approach: nobody would have cared if all the Neiman hackers obtained was information about its inventory of face creams, so why make your law deal with it? Missouri and its cohorts specify that the data must be certain information that – either on its own or with other information – could be useful to someone trying to, say, steal a consumer’s identity or credit. Perfect.
The law must also provide clear notification standards. Laws requiring notice “as soon as practicable” are unsatisfying, especially when they carry the possibility of hefty penalties. Is practicality measured against costs of identifying affected customers quickly? Or against a company’s ability to undertake the task itself, rather than with an outside company? What if you don’t have an address, e-mail, or phone number for the customer? What then? I suggest clear timelines (e.g. “four weeks”), with an allowance for the enforcing entity – the FTC, I assume – to consider mitigating factors. That leaves things squishy, but it at least gives the company a clear safe harbor.
Critically, the law must give meaningful treatment to encryption of the data. Missouri’s law, for instance, carves out notification exceptions for breaches of encrypted data. The thing is, encrypted data can be decrypted, and I would submit that the mere fact someone has taken encrypted data is strong evidence of intent to decrypt it. Shouldn’t the consumer be notified? I can’t shake the feeling that the encryption exception in the Missouri law is more a concession to the victim company than anything, but the consumer notification provisions aren’t meant to be punitive – the monetary penalties are there for that – so there’s no compelling reason why a company’s good faith efforts to protect its data should alter its notice obligations.
Finally, the penalty provisions should be scaled to the number of customers affected, rather than the number of breaches. There are a couple of reasons for this. First, determining how many breaches occurred can be difficult. For instance, if a hacker were to put a program onto a company’s servers that periodically transmitted new customer data to the hacker, would that be a separate breach for each transmission, or just for the entry to put the program on? Second, companies with more data are bigger targets for breaches – why get ten credit card numbers if you can get ten million? It’s therefore sensible to impose a greater incentive on them to secure their data.
A federal data breach notification law makes good sense. Done right, it could reduce compliance costs while enhancing consumer protection. Let’s hope we see one in the near future, and let’s hope it’s done right.
 That is, 46 states and the District of Columbia.
 Succinctly, but slightly inaccurately.
 Well, maybe Neiman. Perhaps its face cream vendors.
 There are, of course, many forms of encryption, and some are better than others. Rather than turn the law into a set of squishy standards, or a list of approved encryption forms, it’s better just to leave the notification requirement in place, even if the data are encrypted.