Last September, Equifax announced that their servers had been breached, resulting in the theft of around 150 million Americans’ social security numbers. The kicker for many was that, on top of a lost sense of security in ones financial future, Equifax was slow to tell anybody about the breach and, when they finally did, they handled it poorly. In the six weeks between when Equifax found out about the breach and when they finally broke the news to the public, executives in the know sold millions of dollars worth of stocks. The company’s response to consumer inquiries about the integrity of their social security number was to require consumers to waive their right to join a class action suit against the company before they could learn any information.

Poor public responses cannot reasonably be fixed, but one thing can; companies should not be allowed to forgo telling consumers that their sensitive information has been compromised for a month and a half. The idea is one which seems highly supported across the nation. Forty-eight states (Alabama and South Dakota are the outliers), Washington D.C., Guam, Puerto Rico, and the Virgin Islands have all enacted some sort of security breach notification law.

“Well then,” one might ask, “why even have this conversation?” The issue with the state regulations is their variance. They differ on who must comply with the law, what the definition of “personal information” is, what constitutes a breach, the length of time which a firm has to provide notice, and even what “notice” even means. A federally promulgated rule could clarify the existing discrepancies between state laws and protect citizens in Alabama and South Dakota who are currently without any kind of coverage. The benefit to congressional action hinges on whether the rule is promulgated with meaningful guidance or not. The SEC recently posted an interpretive release in which the commissioners said they believe it is critical that companies inform investors about risks and incidents “in a timely fashion.” This guidance is spectacularly unhelpful when a “timely fashion” is undefined — a squishy standard could easily allow the Equifax notice, clocking in at 41 days, assuming the company can come up with arguable post-hoc excuses.

The Data Security and Breach Notification Act was introduced into the Senate last September. So far, the bill has been read twice, then punted to the Committee on Commerce, Science, and Transportation. The bill would generally require a company to notify consumers of a breach within 30 days (unless a law enforcement agency tells them not to). Given the proliferation of state data breach laws, the public support for this bill would likely be high. Congress should strongly consider passing the Act to give consumers some ability to take action to protect themselves and businesses a single standard with which they need to work.

Eric Hyla

Comments are closed.