In the dark days--or the good old days, depending on your point of view--before California's SB 1386 data breach disclosure law, letting customers know that their information may have been compromised was strictly company business.
"Before SB 1386, most companies avoided disclosure--it could only hurt you," said Trent Henry, Burton Group senior analyst. "Breaches could cause harm to the person but not the company--not a lot of incentive. Laws have put disclosure front and center as reputation risk and regulatory fines."
While SB 1386 applied only to companies doing business in California, the die was cast. Since the law was enacted July 1, 2003, 33 other states, and New York City, have passed similar laws. Michigan and Washington, D.C., may follow suit this year. Nondisclosure is no longer a practical option.
"A lot of companies tried to avoid disclosure by separating their California customers. Now, since so many states have [disclosure laws], companies realize they have to get out and notify," said Paul Proctor, vice president of research at Gartner.
That presents its own set of problems. Most large companies do business in every state; how do they sort out the requirements if a major data breach affects customers across the country? While California is the model, companies have to be sensitive to what triggers disclosure requirements, what data may be exempt, and the method and timing of notification.
"You don't want 34 triggers, just one trigger that satisfies most requirements. [It's a] waiting game until we get a federal bill that has preemption," said Eric Holmquist, VP of risk management at Advanta Bank.
"We've done internal analysis of state laws and [have] benchmarked [them] to California," said Paul Martino, counsel with Washington law firm Alston & Bird, which represents the National Business Coalition on E-Commerce and Privacy, a group of companies that includes giants such as General Motors and Fidelity Investments. "Other states have done a better job, for example, establishing a higher trigger for notification at significant risk of harm or ID theft--a big topic at the federal level."
That echoes the testimony of FTC Chairman Deborah Platt Majoras, who urged the Senate Committee on Commerce, Science and Transportation to adopt "significant risk" to consumer information as the notification trigger. For example, a lost or stolen laptop may constitute a breach but one with little chance that the data exposed will be used to steal customer identities.
There's been a lot of activity--action may be too strong a word--at the federal level, as both the House and Senate have wrestled to agree on a single bill to supersede the smorgasbord of state laws and simplify life for companies and consumers alike. Congress jumped on the issue in 2005, but it lingers into 2007 without resolution.
"ChoicePoint was the watershed; that's when it exploded," said Martino.
Both the House and Senate have multiple bills introduced in different committees, all of which have some jurisdiction. Some observers blame the lack of progress on congressional distraction with more urgent issues, such as Iraq and immigration. Others cite the jurisdictional issues.
"It's completely bollixed up by jurisdictional disputes," said Liz Gasster, executive director for the Cyber Security Industry Alliance (CSIA). "Barney Frank (D-Mass.) has been taking a proactive approach to form a task force from key committees to work on uniformity in presenting legislation."
Legislative creep, such as adding privacy provisions on top of data security requirements, has also stalled efforts to pass focused legislation.
"Nobody is losing sleep waiting for it--life goes on," said Advanta's Holmquist. "Congress came to the realization that this a lot messier than they thought. It's inevitable, but just a question of how watered down it might be and what else gets stapled on to it."
Gasster stressed that federal law should apply to government and educational institutions as well as businesses, without being redundant with other laws such as GLBA and HIPAA. She said CSIA would also like to see federal data security standards that go beyond breach disclosure, creating "safe harbors," such as strong, well-defined encryption for data.
In the meantime, national companies have to find a practical way to satisfy 34, and counting, state breach disclosure laws. "It's not practical to try to sort out people from one state to another and do it differently," said Gartner's Proctor. "Best practice is to put disclosure procedures in place. Take an aggressive stance that covers all of the laws."