After a Data Breach: Navigating the tangle of state notification laws can be exasperating -- and costly

There are already more than 30 different notification requirements on the books

Bananas.com was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences.

Roughly 250 customer records were exposed, likely after an individual stole an administrative password by accessing systems remotely. (Site owner Bananas at Large has since put additional security procedures in place to prevent a recurrence.)

After the breach, the 25-person company scrambled to comply with the many state laws requiring customer notification. It alerted only the affected customers, either by mail or e-mail. Because its own resources were limited, Bananas referred victims to large credit-reporting agencies to monitor for subsequent financial damage from the breach.

Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. “They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” says Bananas President J.D. Sharp. “They’ll fine the pants off you,” he adds.

The Bananas experience provides a hint of the turmoil a company can face as it tries to cope with disclosure requirements in the wake of a data breach. With more than 30 state data-disclosure notification laws now on the books, officials at many companies doing interstate business are hoping that cohesive national legislation will smooth out the nuances among differing statutes. But so far, federal legislation that would unify corporate disclosure rules is merely inching forward.

With no imminent legislative relief in sight, corporations sometimes resort to blanketing customers with notifications after a breach — lobbing disclosures even in those states that don’t require them, simply to cover all bases. But this practice can have “unintended detrimental consequences,” says Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, a law and IT services firm.

Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, says Scott. “When faced with a security incident, businesses should carefully determine who has been impacted, review their breach notification laws in the relevant states, and devise a breach notification strategy that satisfies the legal obligations and properly notifies affected consumers,” he says.

Many organizations are integrating the efforts of IT, Legal and other departments to come up with strategies to comply with state regulations and ultimately weather worst-case scenarios.
Others are stepping up encryption efforts, since many states don’t force companies to disclose security incidents if the compromised data was encrypted.

Companies as varied as Microsoft Corp., Bank of America Corp. and Verizon Communications Inc. have all taken steps to address the issue with specific teams and processes to handle disclosure in the event of a breach. In large companies, disclosure activity often involves multiple jurisdictions, such as the offices of the chief auditor, the chief compliance officer, the chief privacy officer and the chief technology officer or the CIO, says Joseph Rosem­baum, a partner at New York law firm Reed Smith LLP.

The lack of a central authority can create problems.

“Where responsibilities are partitioned across a diverse set of functions, each office may have the ability to provide greater focus on individual issues, but the challenge of coordination across multiple disciplines is more difficult,” Rosembaum notes.

Moreover, it takes corporate vigilance to keep pace with so many differences in state disclosure laws — variations that start with notification triggers. Some states require notification only if a breach is likely to harm individuals. Others force companies to cast a wider net.

“For some states, any breach that compromises the security or confidentiality of covered personal information triggers the obligation to notify the affected individuals,” notes Thomas Smedinghoff, a partner at Chicago law firm Wildman, Harrold.

The timing on triggers also varies. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami.

Notification triggers aren’t the only differences among state laws. For example, although one state might allow exemptions for compromises of encrypted data, “another state without such an exception would require a notice, even though the data was unreadable,” says Geoff Gray, a privacy and data security consultant at the Cyber Security Industry Alliance in Arlington, Va.

And as Bananas.com learned, the high cost of notification compliance doesn’t stop with the resources it takes to coordinate a response and alert customers. “Enterprises may face potential litigation and fines,” says Scott.

Damage Control

The team at ChoicePoint Inc. knows all too well the complexities of navigating state disclosure laws.After a data breach two years ago, the Alpharetta, Ga.-based company dashed out notices to about 163,000 people. “We expanded upon legislation that only existed at the time in California and opted to make nationwide notification of potentially affected consumers, without any state or federal law requiring us to do so,” says Christopher Cwalina, ChoicePoint’s assistant general counsel and vice president for compliance.

The company’s woes made headlines, but the incident also prompted it to codify breach management plans and assemble a response team. Its policy now “lists all enacted state data breach notification laws, as well as the unique requirements of each law,” Cwalina says.

In addition, ChoicePoint leans heavily on its government affairs team and legal department to track the laws and monitor compliance in the event of a breach.

Large or small, companies should plan ahead to lessen the burden of notification in the event of a data breach. “Encryption is the single most effective way to avoid the negative business impact of data breaches,” says Scott. “Under most privacy statutes, if you have encryption, you get a free pass from notification.”

But with or without encryption, it’s wise to devise a strategy for disclosure in the event of a breach. Companies should have a team in place that can assess the scope of damage and meet the demands of state regulators and credit card companies.

The goal, says Cwalina, is to “act quickly, investigate thoroughly and notify promptly.”