|
 Forty-six of 50 U.S. states have passed laws requiring disclosure,
starting with California in 2002, but the laws vary in terms of when
and how notice must be given, and most states allow for delays to
investigate the intrusion.
Calls for federal action, including by the U.S. Federal Trade
Commission, have gone unheeded by Congress. And guidelines to
safeguard investors in public companies also do not give clear
guidance on timing and do not require disclosures that would
compromise a company's cyber security.
Consumer advocates have criticized Target, where data from 40
million credit and debit cards and 70 million other records
containing customer information was stolen.
State attorneys general are probing the breach. Target says it acted
quickly after taking defensive action.
"It's a judgment call," said Joseph DeMarco, a former head of the
cyber crime unit at the U.S. Attorney's office in Manhattan, citing
the time it takes for companies to find out what happened.
"A breach investigation could take weeks or months before you know
enough to have a legal obligation to disclose."
Target, the third-largest U.S. retailer, said on December 19 that
hackers had stolen data from up to 40 million credit and debit cards
of shoppers who visited its stores between November 27 and December
15.
Chief Executive Gregg Steinhafel said that Target made its
announcement four days after it "confirmed that we had an issue."
The retailer has not said when it first learned of the break-in.
Then, on January 10, the company said the breach was bigger than
initially thought: that hackers also stole personal information of
70 million customers.
Another retailer, Neiman Marcus, said last Friday that it was warned
about a possible breach in mid-December and that an outside
forensics firm confirmed the intrusion on January 1.
Both the Target and Neiman Marcus breaches were first revealed
publicly by an independent blogger.
In addition, three other retailers suffered breaches during the
holiday shopping season that have yet to be publicly disclosed,
according to sources familiar with the attacks.
PATCHWORK OF LAWS
California was the first state to pass a law requiring disclosure of
a hack, and its rules remain among the toughest.
The state requires notification when unencrypted personal
information is reasonably believed to have been taken by an
unauthorized person. The notices must describe the information at
risk, give the date of the intrusion, say whether the notice was
delayed, and provide the name and contact information for the
company.
Still, California's statute gives some leeway. It demands disclosure
in "the most expedient time possible and without unreasonable
delay," taking into consideration law enforcement needs and time for
the company to restore the integrity of its system.
"The first order of business regardless of any state law is to plug
the hole, protect the user and then worry about reporting," said
Albert Gidari, a lawyer who has helped companies deal with dozens of
security breach investigations and issue notices to consumers.
Only a handful of states require notice by a specific deadline.
Florida, Vermont and Wisconsin, for example, give entities 45 days
from the date of discovery. But even those states allow exceptions,
such as when disclosure could hinder a police investigation.
[to top of second column] |
Some states require that consumers be notified once certain types of
information are accessed without authorization, while a greater
number let companies evaluate the risk of identity theft and other
harm to consumers in deciding whether to notify.
Susan Lyon-Hintze, another lawyer who works with victimized
companies, said it was risky to disclose too early, which would tip
off hackers to investigations. "That can actually lead to more harm
for consumers in the long run," she said. "They'll shut down their
operations and move onto the next company."
PROTECTING SALES?
Jamie Court, president of Los Angeles-based public interest group
Consumer Watchdog, said the timing of the Target and Neiman Marcus
announcements raises questions about whether the retailers wrongly
delayed telling consumers. He called on state attorneys general to
look into whether companies failed to disclose their breaches to
maintain sales over the holidays.
Target spokeswoman Molly Snyder said the company acted as quickly as
it could. "As soon as we confirmed the point of access to our
system, closed it and eliminated it, we moved swiftly through the
notification process," Snyder said in an email. Ginger Reeder, a
spokeswoman for Neiman Marcus, denied its disclosure timing was
influenced by sales considerations.
Connecticut Attorney General George Jepsen, who is helping to lead a
coalition of more than 30 states probing the Target attack and
possibly others, may look into whether Target unreasonably delayed
its announcement.
"One of the issues we look at in data breach investigations is the
timeliness and adequacy of notification to appropriate government
authorities and to consumers," the attorney general's spokeswoman,
Jaclyn Falkowski, said.
Penalties for failing to disclose breaches vary by state. Some have
a maximum penalty for each attack and depend on how many people are
affected. In Michigan, for example, fines can range up to $250 per
failure and $750,000 per breach.
In 2011, health insurer WellPoint Inc agreed to pay Indiana $100,000
to settle a lawsuit the state attorney general filed under its
data-breach notification law. WellPoint took months to notify
consumers of a breach and failed to tell the attorney general,
despite operating under a law that requires both "without
unreasonable delay."
According to Patrick Fowler, another lawyer who advises companies on
security breaches, some states allow consumers to file lawsuits for
unreasonable delays, while others leave it to the attorney general.
The U.S. Securities and Exchange Commission issued guidelines in
2011 that public companies such as Target must follow in connection
with cyber attacks. The SEC said the companies may need to tell
investors if an attack occurred and its potential costs and other
consequences.
Typically, the disclosures come in the company's next filing,
whether it is a quarterly or annual report.
But since the SEC guidance came out, "companies have tended to
include generic risk factors rather than disclose specific
incidents," said Todd Hinnen, a former acting assistant attorney
general at the U.S. Justice Department.
(Reporting by Karen Freifeld; additional
reporting by Ross Kerber and Jim Finkle in Boston; editing by Eddie
Evans and Steve Orlofsky)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
