Legal Brief: Changing the Landscape of Data Breach Notification

Quantifying the goodwill your customers and clients have for your organization has always been a black art. But now data security-breach notification laws provide a way to assign it a value based on market research. Forty percent of retail customers say they would consider terminating a relationship with a company that suffered (or "permitted," depending on your perspective) a breach resulting in dissemination of personal data, according to the Ponemon Institute. Somewhat fewer actually do so (19 percent surveyed took their business elsewhere). But while talk may be cheap, data breaches are expensive. Multiply that loss of customers by the cost to attract new ones, and you'll have some idea of the breathtaking cost of a breach.

Data-breach laws are state-based, covering 35 states. But that could change with multiple federal data-breach bills in Congress, each of which would largely displace the state laws. Keeping abreast of these developments will help you proactively develop your compliance strategy. The changes required in IT systems to these shifting legal demands are the same as any other change request: often complicated and always costly if fast-tracked.

Last congressional session, a federal data-breach law was close to enactment, except that the late-term legislative process stalled in the face of competing bills. Most have been resurrected and are primed for action to combat the continual stream of massive breaches in the private and public sectors.

These federal bills differ from typical state laws. First, the triggering event is often different. Most federal proposals set forth a "material risk of harm" to a consumer that must be established, without which notification is not required. Only some state laws are so triggered. As important, some proposals call for stakeholders--the breached company, a consumer protection agency or law enforcement--to determine whether material risk exists. Naturally, each may answer differently.

Second, many proposals call for involvement of federal law enforcement. An aggressive bill sponsored by Sen. Leahy (D-VT) calls in the feds for a "serious breach," defined to include disclosure of more than 10,000 personally identifiable information records or disclosure involving a database with more than 1 million PII records.