Weak Data-Breach Laws Leave Us All In A Compromised Position
If today’s tech headlines follow the pattern of the rest of this month’s news, we’ll be able to celebrate the sixth anniversary of Data Privacy Day with a report that yet another company has seen its customers’ information exposed through some massive, preventable data breach.
Fortunately, strong federal laws ensure that we know about these incidents in time to protect ourselves—and ensure that retailers, banks and other organizations can share secrets about threats and vulnerabilities.
Oh, wait, that last sentence is from the 2024 version of this post. This, however, is the 2014 edition, and so it must report that no such nationwide legal umbrella covers you and your various digits. You often have to hope that companies’ own self-interests lead them to do the right thing.
Most of the time, nothing too bad happens if they don’t. Your credit-card firm refunds phony charges and sends you a replacement, the free credit monitoring offered to make up for the breach doesn’t reveal subsequent mischief, and life goes on.
But for an unlucky few, identity theft becomes an expensive and prolonged problem. Third parties can suffer too: A community theater in Redlands, Calif., saw its site used to test stolen credit-card numbers from across the country and then ate almost $30,000 in service fees levied by its payment-processing service after it refunded the bogus transactions.
And we all wind up paying a little extra when poor security in credit-card terminals, subscriber databases and Web servers—none of which you have any power to fix on your own—increases the cost of doing business everywhere.
Washington’s rules on the subject largely consist of privacy laws governing the health-care and finance industries. That leaves out a mall’s worth of companies—Target, Neiman Marcus and Michael’s, to name the last few big cases of retailers that had their networks hacked.
Firms that do an especially bad job safeguarding people’s data risk an investigation and fine by the Federal Trade Commission. But one of the highest-profile FTC targets, Wyndham Hotels, is questioning the commission’s authority in court—and considering the last legal challenge of a regulator acting on less-than-clear authority, it could win.
In effect, Washington has outsourced this work to the states. “Most kind of run-of-the-mill data-breach reporting obligations are driven by state regulations,” said Jim McCullagh, a partner with Perkins Coie in Seattle and co-chair of its privacy and security practice group.
But the problem with state laws is that there are so many of them. Forty-six states have passed laws with varying definitions of “personal information” and requirements for disclosure (the holdouts being Alabama, Kentucky, New Mexico and credit-card hub South Dakota), and companies doing business in more than one must figure out how to comply with all of them.
That’s not an easy exercise. The usual course, McCullagh explained, is that “the state that has the most stringent standard is the one that controls”—which leads to distant firms having to familiarize themselves with California or Massachusetts laws.
In theory, it shouldn’t take the threat of legal action to get companies to prevent breaches and notify customers promptly if they happen. They represent an expensive habit, at an estimated average cost of $204 per customer back in 2009, and customers can flee if they think a company’s careless with their data.