I recently assisted a client with a response to a data breach incident. This isn’t an uncommon occurrence. Our law firm is notified almost weekly of a data breach incident involving one of our investment adviser clients. Most commonly, an unauthorized person gains access to an employee’s email and the inbox contains non-public information.
The first thing we ask our clients is: “Do you have data breach or cybersecurity insurance?”
The second thing we try and determine is how expansive is the breach so that we can try and determine how big of a financial and time commitment it will it be for our client to comply with the law. As a general rule of thumb, breaches become more time consuming and expensive as the number of clients and the states of residency increase.
This is because there is no federal law that dictates what businesses must do in the event of a data breach. The status quo requires a business to analyze every state law where a client was potentially impacted to determine (i) what is the state’s definition of a “breach”, (ii) was the client in question subject to a “breach”, (ii) what are the business’s notification requirements, (iii) does the business have any other reporting obligations? To get a sense of how ridiculous this task is, a current list of those requirements by state is available here.
It is long past time for Congress to make this process for uniform and manageable for businesses. The array of state data breach laws is inefficient, burdensome, and might even incentivize businesses to circumvent reporting obligations in various states.
The federal law should, at a minimum, settle on a uniform definition of a “breach”. The law should also create a federal website that allows for easy reporting by businesses to the federal government. That website would then automatically notify state governments in any state where an impacted client resides. This would alleviate the burden on businesses reporting to various state Attorney Generals while still providing states with the broad police powers they are entitled to in trying to protect their citizens and resolve and prevent data breaches.
I can think of no reason why Congress shouldn’t act on this important measure, except many law firms and consulting firms profit from the current patchwork framework.