Is This a Good Idea? Yes, But…
Both chambers of Congress have recently introduced legislation which would give companies an increased measure of discretion when deciding whether or not a breach of personally identifiable consumer data must be reported to those potentially impacted by the breach. Under a wide array of current state laws, companies must alert consumers of a breach of their personal data regardless of perceived harm. The reporting period? Typically 30 days from the discovery of the breach, and some states require reporting to regulatory agencies as well. The new laws would allow companies to apply some discretion, only requiring them to notify consumers if there is reasonable risk of financial harm. If, for example, the compromised data was the type that could facilitate identity theft or fraud.
“Too much notification undercuts the value of useful notification,” according to a spokesperson for Rep. Marsha Blackburn (R. Tenn), who sponsored one of the proposals. The theory is that allowing companies to focus on the nature of the breach, and to report the data loss centrally, (ie., to the FTC, rather than being forced to navigate a myriad of different state’s statutes with varying notification regulations) would help to reduce the amount of unnecessary reporting.
This is probably a good idea. A breach involving relatively minor consumer data, (an email address, for example) is not likely to lead to financial harm to the consumer, but can be enormously costly to remediate. And the class-action suits that almost always follow can plague a company for many years. There are some important caveats, however, that a company must keep in mind if the notification laws are softened.
- Analysis is critical. While a more moderate law will potentially ease the burden on companies, those companies must be even more vigilant on their breach response analysis efforts. A company that decides NOT to notify, must be completely sure there was no loss of significant consumer data.
- Is your decision defensible? Once the analysis is complete, and your client decides not to report, would a “jury of their peers” agree that the decision to not report was reasonable? Get wise and experienced counsel in this area to avoid the almost certain arm chair quarterbacking that can occur.
- Document everything. Keep immaculate records related to the analysis, the steps taken, supporting digital evidence, findings, and critical assumptions related to those findings. Lawyers should retain the forensics experts so that the work is covered under privilege.
A more moderate breach response law has been a long time coming, but companies cannot interpret this as an opportunity to water-down their post-breach investigation activities.