For a retailer experiencing a data breach, the realization that the sensitive personal information of hundreds, thousands, or even millions of individuals has been compromised is the scenario every executive hopes to avoid. Hoping for the best is a good attitude but a poor strategy. Companies must know what to do if and when such an incident arises. This is easier said than done when the unfortunate reality is that currently 47 states, the District of Columbia, and Puerto Rico have all enacted laws pertaining to data breach notifications, and in many instances, these laws vary dramatically, meaning that a company doing business in every state must be conscious of nearly 50 different requirements when responding to a data breach. The National Retail Federation (NRF) is calling for a uniform and comprehensive federal data breach notification law for all holders of sensitive personal information, including not only retailers but also banks, card processors, and telecom and credit card companies. Although retailers are the ones who usually end up in the spotlight during a data breach, according to Mallory Duncan, General Counsel for the NRF, banks are the entities that actually account for the largest share of data breaches, making a uniformly applicable law even more important.
A closer look at the laws of different states reveals a wide range of data breach notification requirements and makes it easy to see why NRF is calling for a uniform federal law. For example what constitutes a legally acceptable notification time is anywhere from 30 days to 90 days, “without reasonable delay,” or simply after an investigation. Even perhaps the most basic concept, the definition of what actually constitutes “personal information,” varies among the laws of different states. For example, some but not all states include pin numbers in the definition of “personal information,” and still others include biometric data such as fingerprints. Further, many states require notification to the state attorney general, but not all do, and some require notice to be provided to some other state agency or a credit reporting agency, but again, not all. And there doesn’t seem to be any light at the end of this already-complicated tunnel. Until last year, all states with data breach laws provided a safe harbor for breaches of encrypted data, but Tennessee recently added to the already complicated web of laws by removing the safe harbor for encrypted data.
Unfortunately, there doesn’t appear to be any specific benefit to having such multitude of requirements, so for now, in addition to ensuring significant data security is in place, retailers should be aware that there are distinct data breach notification requirements for each state in which it does business and should a data breach occur, ensure that it has a plan in place and the resources available to abide by those distinct requirements. Support for a national data breach notification law, such as that advanced by the NRF’s, could go a long way in not only protecting consumers from further disclosure of their sensitive information but also in protecting retailers from having to sort through each state’s requirements and dealing with litigation that could come after a data breach.
Follow me on Twitter: @