Data Breach Laws Unlikely to be Adopted at Federal Level

In the last few years, a lot of attention has been paid by lawmakers at both the state and federal levels to the ways in which companies – both large and small – that suffer data breaches deal with the fallout from them. Currently, almost every state has a law on the books that dictates how this must be done, but hope for a federal bill to overarch them all seems to be fading.

Despite numerous efforts to create and pass a broad federal standard for data breach notification and handling over the past few years, it seems that experts are instead resigning themselves to this kind of change failing to come any time soon, according to a report from SC Magazine. Currently, all but four states across the country – with Alabama, Kentucky, New Mexico, and South Dakota standing as the lone exceptions – have their own data breach laws. However, many believe that the different standards in New York and Florida, for example, could be extremely troublesome for companies suffering data breaches, as well as the people victimized by them.

“[The laws] are not all uniform,” Mark Schreiber, a partner at Boston firm Edwards Wildman who chairs the World Law Group Privacy Group and led the development of the Data Breach Guide, told the website. “It would be nice and helpful to everybody, companies and individuals alike, if there was uniform data breach standard in U.S., but there are multiple standards. … It’s difficult, in terms of when notice must be given, the content of the notification, who needs to receive it and under what time deadlines. At its core, it’s difficult with hacking events. Hacking events aren’t as easy due to the nature of the [attacks].”

Further, these varying standards may be problematic, specifically because of what legally constitutes a data breach in any given state, the report said. What’s considered to be an incident that rises to that standard in Massachusetts may not be the same in another state.

Other potential issues
Of course, when hacking attacks are involved, the problems can be very different for companies and consumers, because of the ways in which the fallout must be handled, the report said. For instance, some states may allow law enforcement officials to push back the dates by which data breach notifications must be sent out, depending on the circumstances of a pending investigation.

The lack of a federal standard, which would mean that all states must adhere to at least the minimum requirements laid out by law, remains troubling to those in the industry, the report said. Schreiber referred to the hope of such a law at this point as being “aspirational,” but likewise noted that no country that currently has an overarching set of rules in place has truly done a good enough job with such efforts that the U.S. can model its framework after another nation’s.

Owners who are concerned about the various issues that can arise after a data breach might be able to give themselves a little more peace of mind by making sure their companies are covered by comprehensive tech insurance policies. This type of small business insurance plan helps to defray the potentially massive costs – which can easily stretch into the tens of thousands of dollars or more – that could otherwise serve to sink even a relatively successful small business, through the costs related to notification, increasing existing data security, paying for identity theft protection for potential victims and other issues that may need to be addressed.