Congress’s continuous failure to enact any federal data breach standard means states continue to take matters into their own hands on how organizations must legally protect entrusted information. The most recent legislative cycle featured numerous states that amended the timeline for notification. This trend should not go unnoticed by businesses, big or small, as the breach timeline to respond grows shorter by the day.
From Ambiguity to Specificity
State breach notification laws around the country used to feature timeframes open to interpretation. Recent amendments signaled a shift in the timeline by which a business must respond, an evolution previously marked with ambiguity to sudden specificity. State laws in Arizona, Colorado and Louisiana formerly required notification “in the most expedient manner possible and without unreasonable delay.” What exactly was expedient? 50 days? What about 100 days from the date of discovery? The Arizona Data Security Breach law now requires notice to occur within 45 days of the breach’s discovery. Colorado, meanwhile, joined Florida in the implementation of the shortest notification timeframe for any state on record — 30 days. Louisiana’s amendment now means the state falls in the middle of its Western neighbors with a notice timeframe of 60 days.
If you ask any cybersecurity specialist about breach response, the refrain is almost always the same: Every situation may be different, but the time to assess, mitigate and respond is invariably short. These amendments now put the onus on companies to engage in proactive versus reactive approaches to data security. In the absence of an incident response plan that clearly spells out directives like who to call, what to do and when, the end result for unprepared companies is often the same — a hastily thrown together notification short on answers and long on consumer questions (e.g., Equifax). Although a topic for another time, it’s worth noting that the General Data Protection Regulation (GDPR) requires an organization to report a breach within seventy-two hours of discovery. Three days!
“We’ll Take Our Chances”
I once received a call from a company who accepted payment card information. In monitoring web traffic about the services it provided, the Company become aware of customer comments that repeatedly made mention of unauthorized charges. The Company (with great trepidation, I may add) performed an internal audit of its network. The audit’s findings revealed a breach that took place well over a year from the date of discovery. The intruder had made off with a large cache of credit card information.
This company called me to ask about the legal obligations and ramifications from their newly discovered breach. I asked preliminary questions like the estimated number and general location of those affected. Why? Because the answers to these questions largely dictate the legal pain/cost a company faces with breach response. When I finished, the voices on the other end of the phone grew quiet. Finally, a response: “I think we’re going to take our chances.” Meaning what exactly, I asked. “We are not going to notify people that this occurred.” And like that, the call was over.
Yale, on the Other Hand
Personal feelings aside on how much of a mistake this company’s course of action is/was, it should come as no surprise that far too often companies discreetly sweep breach incidents under the rug. The ignorant hope is the passing of time with no reports of information misuse means no harm, no foul, right? Wrong, according to Yale University, whose recent actions did not prescribe to this point of view. Two months ago, Yale discovered a breach of a University database more than a decade after the fact. The intruder extracted the names, dates of births and social security numbers of alumni, faculty, and staff. Better late than never, Yale made the decision to notify more than 119,000 affected (notice here). It’s worth noting that Yale’s June discovery and subsequent July notification of the breach took place within the state of Connecticut’s required timeframe of ninety days or less.
Without a federal framework that requires all companies to play by the same rules, the patchwork of state breach notification laws make for a dizzying array of deadlines. If affected consumers live all over the country, companies have no choice but to understand the different timelines by which they must legally notify people of the incident. As breach notification timelines grow shorter by the day, a company’s executive management, IT Department, and legal must work in tandem to plan accordingly.
Have any questions? Need help coming up with an incident response plan that will legally protect your business from cyber liability? Contact us today.