Minor cybersecurity data breaches will not have to be disclosed under legislation proposed in both the U.S. House and Senate in recent months.
The proposed legislation would allow companies to decide for themselves whether a breach of consumer data merits the notification of customers, according to the Wall Street Journal. However, companies would need to act quickly to notify customers about an intrusion if they believe there is a risk of serious identity theft or fraud resulting from the breach. If companies believe there is no reasonable chance that a breach will hurt customers, the legislation would allow them to not disclose it.
The proposed cybersecurity laws would override current state laws on notification. Many of these require firms to tell customers if there has been any unauthorized access of their personal data, regardless of perceived harm, said Gerald Ferguson a privacy attorney at Baker & Hostetler, who counsels companies on handling breaches.
The standard would lead to fewer notifications, said Mr. Ferguson. "It would permit companies to do a second analysis of whether there is a reasonable risk of financial harm. When you are starting to do a risk of harm analysis there is a lot of discretion."
The proposed law takes into account concerns that "too much notification undercuts the value of useful notification," said a spokesperson for Rep. Marsha Blackburn (R–Tenn.), a sponsor of one of the proposals
Instead of requiring notification in all cases, the bill is focused "on what impacts consumers most and that is identity theft and payment fraud," the spokesman said. Several similar bills have been proposed in the Senate.
Companies spent an average of $145 for each sensitive record exposed in a breach, according to a study last year sponsored by International Business Machines, and class-action suits, which usually follow such breaches, can affect companies for years.
The cost of a massive breach can be enormous. Target has spent millions of dollars as a result of its 2013 breach. The Target security breach compromised 40 million credit and debit card accounts, making it one that would have had to be disclosed in any case.
The discretion promised by the new bills may be good for business. This would enable companies to choose how or when to notify customers. Thus companies would be enabled to deal with breach notifications in a lower profile manner so unnecessary fear is not spread among consumers worried that their personal information has been compromised.
"Companies would benefit from reduced demands on compliance functions," said Daren Orzechowski, a technology law specialist at White & Case. "It would allow companies to focus more on addressing the breach rather than running through volumes of statutes."
Retailers partner with bankers to share cybersecurity information
At summit, President orders cybersecurity efforts, PCI applauds
Retailers call for collaboration to combat cyberattacks
Target accelerating $100 million chip and PIN adoption, finds just 25 registers at fault in breach
The story of how Target had chip and PIN cards, but failed to keep them