In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years – big breaches, flurry of bills in both houses of Congress, bills die… big breaches, flurry of bills in both houses of Congress, bills die…
A sticking point for this legislation now and in past years is whether a federal law should preempt state notification laws. In a letter signed by the Attorneys General of just about every state with a data breach notification law (47 states have such a law), the National Association of Attorneys General tells Congress to let states continue to address this issue. It does not appear that the NAAG is necessarily opposed to a federal data breach notification law or data security standard, it just prefers that “a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.”
However, many consider the matrix of state laws to be confusing and a barrier to a streamlined notification process that a uniform federal standard might bring. There is some merit to this. For example, the notification law in Massachusetts prohibits businesses from describing the circumstances of the breach in the notification letter. However, the notification laws in many other states require the letter contain a brief description. Also, some states such as New Jersey require notification to a state agency before notification is made to affected individuals, while other states do not have such a requirement. A third example is that many state laws have a “risk of harm” trigger; that is, a provision that says, in essence, notification is not required if there is not a significant risk of harm to the affected persons. The language in these provisions, however, varies considerably, making it difficult for a business to apply those provisions in a multi-state breach.
The debate certainly will continue. But what is important for businesses large and small is that they have a plan to respond to a breach, and practice that plan. Most companies will experience a data breach affecting personal information and, whether driven by federal and/or state laws, will likely have to notify affected persons. Preparation is critical, and here are some questions businesses, particularly small and mid-sized businesses should be asking:
- Who are the key people in the organization that would be in the best position to drive the breach response?
- Do employees know what a data breach is and where to report one?
- Does the company have vendors lined-up in the event there is a breach?
- Does our IT team have the appropriate expertise – they manage our systems, and IT equipment, but do they know data security, forensics, etc.
- Who should we call first if we suspect we have had a breach?
- Do we have to bargain with the union about our plans for dealing with breaches involving employee data?
- Is there an insurance policy that might cover some of the costs?
- Do we have a plan for addressing media attention?
- Do we have any contractual obligations in connection with a breach? Will this affect our government contract? Have we met our payment card obligations (PCI compliance)?
- Are we prepared to have our data privacy and security safeguards and written policies scrutinized by a federal or state agency?
- What steps should we be prepared to take to mitigate potential harm following a breach?