The Tangled Web of Data Breach Notification Laws
Bananas.com is an on-line musical instrument sales site. Last year, they suffered what would have to be considered a very small breach of roughly 250 customer records. The 25-person company attempted to comply with all of the state data breach notification laws where their 250 customers resided. Yet, according to a recent article in Computerworld by Jennifer McAdams, despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies.
“They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” says Bananas President J.D. Sharp. “They’ll fine the pants off you,” he adds.
The issue is the variation between the different state consumer notification laws. Of the 38 states who currently have a law on the books, 18 require notification of any breach, while 20 require notification only when risk of harm is present. All 38 provide exemptions if the compromised data was encrypted. Finally, 24 states require that, in addition to the affected consumers, certain government officers or agencies must be included in their notification. Another variable is when the consumer must be notified. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami.
The answer would seem to be a unified federal law that could bring some needed continuity for how companies should respond to a breach, but current legislation is barely making progress in Congress.
In response, some companies have taken to blanketing customers with responses, but, according to Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, this practice can have "unintended detrimental consequences." Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, Scott said.
For now, until the Federal government can come up with one, comprehensive law, the goal is clear, according to Christopher Cwalina, ChoicePoint's assistant general counsel and vice president for compliance.
"Act quickly, investigate thoroughly, and notify promptly."
Contributed by Mark Tordoff
Identity theft has brought great tensions to the corporate world causing many companieslosses each year. Everyone is scared of their personal information not leaked out tosome strangers. Not only offices but individuals at home should also purchase onefor safety.
Posted by: Industrial Shredders | January 12, 2009 at 01:05 AM
Have you asked Choicepoint why they haven't offered a nationwide security freeze like the 3 national credit bureaus?
Posted by: George | November 12, 2007 at 02:33 PM