* An icon moves on.
* Wal-Mart 1, class action 0.
InBox
08 2011
MORE: corpcounsel.com < < < <
Experts debate how quickly companies should tell customers about data breaches.
HOW FAST IS FAST ENOUGH?
By suE rEIsIngEr [ ]
IN FINANCIAL DATA BREACHES, TIMING IS
almost everything. On June 13 a federal
court held Comerica Bank liable for data
breach losses even though it notified the
customer and stopped all account activity
within six hours. Two days later Citigroup
Inc. was explaining why it took nearly a
month to start notifying 360,000 customers of a breach. While Comerica didn’t
act fast enough for the court, experts say
Citi’s delay may have been justified.
Confusing? Such disparities can baffle
not only companies and consumers, but
also lawmakers trying to create a uniform standard for handling breaches.
As cybercrimes run rampant [see
“The Escalating Attacks on Data,” page
18], notifying customers has become a
hot-button issue. And it’s only grown
hotter with new studies suggesting that
all companies are vulnerable. A survey
released in April by the Michigan-based
Ponemon Institute, which specializes in
research on privacy and security issues,
showed that data theft is growing “more
frequent, more severe, and harder to
detect and stop.”
Privacy gurus like Marc Rotenberg
are worried. Rotenberg, executive direc-
tor of the Electronic Privacy Information
Center, has joined a cyberchorus calling
for the federal government to act.
JAMES STEINBERG
Politicians are listening. In June alone,
there were three House and Senate hearings on cybercrimes and identity theft.
Citing a dramatic increase in attacks
that “threaten the future of electronic
commerce,” Representative Mary Bono
Mack (R-California), chairwoman of
the House subcommittee on commerce,
manufacturing, and trade, introduced
a draft bill in June that would establish
national standards for data security and
breach notification.
Though Mack is open to some
changes, she said at one hearing that
she wants any new law to require fast
notification to consumers. There are 46
state laws on data breaches, with differ-
ing requirements. Some demand prompt
notice, while others simply say “in a
reasonable time” or “without undue
delay.” Mack prefers the fast track, argu-
ing, “Consumers should be promptly
informed when their personal informa-
tion has been jeopardized.”
Even the U.S. Chamber of Commerce
agrees that Congress needs to do some-
thing. Jason Goldman, Chamber counsel
for telecommunications and e-commerce,
says his group supports a national uni-
form standard on data breaches, “but we
need to work out the details.”
What Goldman means is that not
everyone agrees on what a new law
should require. While there are several
points of contention—preemption of
state laws is one—a key sticking point
continues to be timely notification of
customers.
