“It’s time,” Holder said in a recent video statement as he called upon Congress to act.
It should be noted that no fewer than 46 states as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have individual policies and standards for data breach notifications. While a national standard would not have the intent of superseding existing standards observed by individual regions, the existence of a national standard may prompt individual states to align their policies with that of the national protocol.
The executive VP and CFO of Target Corp., John Mulligan, noted earlier this year that he would welcome a single federal standard for notifying customers when their data had been breached. Target was the victim of a massive security breach last year that may have affected upwards of 70 million consumers, according to Holder’s video message. But Target is not alone in its vulnerability, in spite of best encryption efforts and other measures designed to keep data secure and safely out of reach from hackers.
While Holder did not detail what he has in mind, various bills aimed at creating a national standard have been introduced in recent years in Congress. The Personal Data Privacy and Security Act brought to the floor of Congress by Senator Patrick Leahy (D-Vermont), who is the chairman of the Senate Judiciary Committee, is one of two efforts of note aimed at establishing such a standard.
Leahy’s bill would require businesses, generally, to inform customers about a breach within 60 days of its discovery. If fewer than 5,000 customers were targeted, companies would only need to issue breach notification messages through the mail, telephone or e-mail to those individuals affected by the breach. Above 5,000 customers, and a company would also be required to make public statements through the media.
Another effort, known as the Data Security Act, would leave it up to the Federal Trade Commission (FTC) and various other federal agencies with regard to when and how business and corporations inform their customers when a data breach has occurred.
For his part, Michael Kingston of Neiman Marcus Group Ltd. offered no opinion of the creation of a national standard. However, the senior VP and CIO for the specialty department store stressed the need for flexibility. “I do think…these investigations; these events are different and, on a case-by-case basis, need to be handled differently.”
Neiman Marcus was also the target of a security breach last year.
READ MORE DATA BREACH LEGAL NEWS
Until a national standard is adopted, companies that have been the target of a data breach have little recourse other than to follow the protocol adopted by their home state or simply do what they think is right toward informing their customers of the unthinkable.
Some customers think it’s not good enough, and call their attorneys.