Huge cybersecurity breaches at major retailers caught the attention of the public and have made headlines. Now, more recent breach at one of the major credit reporting agencies has the attention of Congress. 48 states and the District of Columbia already have some form of legislation governing security breaches. These statutes typically begin by laying out who is subject to the requirements, such as businesses and information brokers, and what information is considered protected “personal information.” The laws then outline what constitutes a breach, the requirements for providing notice, and exemptions to the law. What’s next, Congress?
Although still in their infancy, many of these laws have created a working outline for regulating security breaches. By defining the key terms and setting specific notice provisions, they also provide guidance to businesses and firms alike in how they must react to a security breach.
Litigation over security breaches is also fairly new, but the applicable regulations are useful in defending lawsuits over a potential breach. Differences between the different states’ laws create some complications similar to any other area of law, but many similarities do exist.
However, the decision of Congress to wade into the area could fundamentally alter the current landscape depending on how the federal government approaches the subject. Several state attorneys general have urged Congress to set a floor for breach requirements, rather than preempt all existing state laws. On the other hand, it is almost certain that a variety of interests will seek friendlier notice requirements and the preemption of any stricter state laws. Regardless, these recent hearings should be of interest to all businesses and firms across the country. It will certainly be long before any law is actually passed, but various federal agencies like the Federal Trade Commission can already offer insight on how the federal government views security breaches by publishing guidance for businesses.
In addition to potentially giving an idea of where Congress could start in crafting legislation, these materials are extremely helpful in preparing internal operating procedures. It would therefore be in the interest of all firms and businesses to reevaluate their plans for responding to security breaches while keeping a close eye on Congress as it tackles this ever-changing area of the law.