US Attorney General Seeks National Standard for Data Breach Disclosure

Washington, DCThe reality that finds more and more Americans conducting increasing transactions online, together with the existence of personal information parked and stored within various sources vulnerable to being hacked, suggests that data breaches will continue to be a growing threat. To that end, US Attorney General Eric Holder Jr. is on record as stating the time for creating a national policy on data breaches, and specifically a standard for when customers are notified that their data has been hacked, is now.

“It’s time,” Holder said in a recent video statement as he called upon Congress to act.

It should be noted that no fewer than 46 states as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have individual policies and standards for data breach notifications. While a national standard would not have the intent of superseding existing standards observed by individual regions, the existence of a national standard may prompt individual states to align their policies with that of the national protocol.

The executive VP and CFO of Target Corp., John Mulligan, noted earlier this year that he would welcome a single federal standard for notifying customers when their data had been breached. Target was the victim of a massive security breach last year that may have affected upwards of 70 million consumers, according to Holder’s video message. But Target is not alone in its vulnerability, in spite of best encryption efforts and other measures designed to keep data secure and safely out of reach from hackers.

While Holder did not detail what he has in mind, various bills aimed at creating a national standard have been introduced in recent years in Congress. The Personal Data Privacy and Security Act brought to the floor of Congress by Senator Patrick Leahy (D-Vermont), who is the chairman of the Senate Judiciary Committee, is one of two efforts of note aimed at establishing such a standard.

Leahy’s bill would require businesses, generally, to inform customers about a breach within 60 days of its discovery. If fewer than 5,000 customers were targeted, companies would only need to issue breach notification messages through the mail, telephone or e-mail to those individuals affected by the breach. Above 5,000 customers, and a company would also be required to make public statements through the media.

Another effort, known as the Data Security Act, would leave it up to the Federal Trade Commission (FTC) and various other federal agencies with regard to when and how business and corporations inform their customers when a data breach has occurred.

For his part, Michael Kingston of Neiman Marcus Group Ltd. offered no opinion of the creation of a national standard. However, the senior VP and CIO for the specialty department store stressed the need for flexibility. “I do think…these investigations; these events are different and, on a case-by-case basis, need to be handled differently.”

Neiman Marcus was also the target of a security breach last year.

Regardless of what form a national standard takes, the fact remains that consumers trust companies that ask for or require personal information to keep their information secure, in order to avoid identity theft and other breaches that could potentially harm a consumer’s credit rating, not to mention other problems. Little wonder that many organizations that have been hacked are the target of lawsuits by consumers who feel security measures preventing data breach - or disclosure of such a breach - were insufficient.

Until a national standard is adopted, companies that have been the target of a data breach have little recourse other than to follow the protocol adopted by their home state or simply do what they think is right toward informing their customers of the unthinkable.

Some customers think it’s not good enough, and call their attorneys.