Data breaches have dominated headlines in recent years. A company whose data is stolen is the victim of a crime, but nonetheless can find itself on the wrong end of a litigation onslaught, and may incur significant reputational damage and other costs.
One of the biggest costs is compliance with the patchwork of data breach notification laws, which can costs of millions of dollars. There is no uniform federal data breach law. Rather, 47 states have enacted their own laws which require notification to interested parties in the event that personally identifiable information (PII) is compromised. Significant variation exists in these laws regarding, among other things, the scope of PII, the circumstances triggering the duty to notify interested parties, who must receive notice, the content of the notification to the interested party, and the timing of the notice.
This maze of laws can pose a compliance nightmare. Take for instance an example of a stolen laptop. The company must ascertain what information was contained on the laptop and, in particular, whether it contained PII as defined under the laws of the various states. For each state whose data breach laws are implicated, the company must determine whether the duty to notify interested parties has been triggered, whose information was compromised and whether anyone in addition to those individuals must be notified, the content of the notification, and the timing of any notification obligations. If the laptop contained information related to financial or health information, then federal laws may impose additional requirements. If the laptop contained information related to transactions outside the United States, compliance with the laws of foreign jurisdictions must also be considered. All of this must be determined quickly.
"There is no uniform federal data breach law."
Despite the problems posed by the patchwork of state laws, attempts at federal legislation have been without success. President Obama recognized the need for federal legislation, noting in remarks to the Federal Trade Commission (FTC) that “we're introducing new legislation to create a single, strong national standard...” This legislation, the Personal Data Notification and Protection Act of 2015, H.R. 1704, would require businesses that access PII of more than 10,000 individuals in one year to notify those individuals in the event of a security breach within 30 days. It was introduced on March 26, 2015, but stalled in subcommittee.
Other bills have had similar trajectories. For example, on January 28, 2015, the Data Accountability and Trust Act, H.R. 580, was introduced. This proposal would require the FTC to create regulations for those involved in interstate commerce and who possess PII, and that both the FTC and the affected individuals be notified of a data breach. Like the president's proposal, it stalled in subcommittee. Another proposal, the Data Security and Breach Notification Act of 2015, H.R. 1770, introduced on April 14, 2015, would require notification to all affected U.S. residents where the breach will result in economic harm, as well as the FTC, the Federal Bureau of Investigation and consumer reporting agencies. Like the other bills, it has yet to move past subcommittee consideration.
A federal data breach notification law would provide much needed uniformity, making compliance in the wake of a data breach more achievable and less burdensome. Such uniform legislation is necessary to protect companies with nationwide reach from the pitfalls of having to comply with 47 state data breach reporting laws that do not align.
David R. Singh is a counsel in the litigation department at Weil, Gotshal & Manges. Jessica Raynor, an associate at the firm, also contributed to this article.