Skip to main content

U.S. companies allowed to delay disclosure of data breaches

A decade of lawmaking by U.S. states to ensure consumers are told when their data has been hacked still lets companies such as Target Corp wait weeks or even months to disclose security breaches.

Forty-six of 50 U.S. states have passed laws requiring disclosure, starting with California in 2002, but the laws vary in terms of when and how notice must be given, and most states allow for delays to investigate the intrusion.

Calls for federal action, including by the U.S. Federal Trade Commission, have gone unheeded by Congress. And guidelines to safeguard investors in public companies also do not give clear guidance on timing and do not require disclosures that would compromise a company's cyber security.

Consumer advocates have criticized Target, where data from 40 million credit and debit cards and 70 million other records containing customer information was stolen.

State attorneys general are probing the breach. Target says it acted quickly after taking defensive action.

"It's a judgment call," said Joseph DeMarco, a former head of the cyber crime unit at the U.S. Attorney's office in Manhattan, citing the time it takes for companies to find out what happened.

"A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose."

Target, the third-largest U.S. retailer, said on December 19 that hackers had stolen data from up to 40 million credit and debit cards of shoppers who visited its stores between November 27 and December 15.

Chief Executive Gregg Steinhafel said that Target made its announcement four days after it "confirmed that we had an issue." The retailer has not said when it first learned of the break-in.

Then, on January 10, the company said the breach was bigger than initially thought: that hackers also stole personal information of 70 million customers.

Another retailer, Neiman Marcus, said last Friday that it was warned about a possible breach in mid-December and that an outside forensics firm confirmed the intrusion on January 1.

Both the Target and Neiman Marcus breaches were first revealed publicly by an independent blogger.

In addition, three other retailers suffered breaches during the holiday shopping season that have yet to be publicly disclosed, according to sources familiar with the attacks.

PATCHWORK OF LAWS

California was the first state to pass a law requiring disclosure of a hack, and its rules remain among the toughest.

The state requires notification when unencrypted personal information is reasonably believed to have been taken by an unauthorized person. The notices must describe the information at risk, give the date of the intrusion, say whether the notice was delayed, and provide the name and contact information for the company.

_0">

Still, California's statute gives some leeway. It demands disclosure in "the most expedient time possible and without unreasonable delay," taking into consideration law enforcement needs and time for the company to restore the integrity of its system.

_1">

"The first order of business regardless of any state law is to plug the hole, protect the user and then worry about reporting," said Albert Gidari, a lawyer who has helped companies deal with dozens of security breach investigations and issue notices to consumers.

_2">

Only a handful of states require notice by a specific deadline. Florida, Vermont and Wisconsin, for example, give entities 45 days from the date of discovery. But even those states allow exceptions, such as when disclosure could hinder a police investigation.

_3">

Some states require that consumers be notified once certain types of information are accessed without authorization, while a greater number let companies evaluate the risk of identity theft and other harm to consumers in deciding whether to notify.

_4">

Susan Lyon-Hintze, another lawyer who works with victimized companies, said it was risky to disclose too early, which would tip off hackers to investigations. "That can actually lead to more harm for consumers in the long run," she said. "They'll shut down their operations and move onto the next company."

_5">

PROTECTING SALES?

_6">

Jamie Court, president of Los Angeles-based public interest group Consumer Watchdog, said the timing of the Target and Neiman Marcus announcements raises questions about whether the retailers wrongly delayed telling consumers. He called on state attorneys general to look into whether companies failed to disclose their breaches to maintain sales over the holidays.

_7">

Target spokeswoman Molly Snyder said the company acted as quickly as it could. "As soon as we confirmed the point of access to our system, closed it and eliminated it, we moved swiftly through the notification process," Snyder said in an email. Ginger Reeder, a spokeswoman for Neiman Marcus, denied its disclosure timing was influenced by sales considerations.

_8">

Connecticut Attorney General George Jepsen, who is helping to lead a coalition of more than 30 states probing the Target attack and possibly others, may look into whether Target unreasonably delayed its announcement.

_9">

"One of the issues we look at in data breach investigations is the timeliness and adequacy of notification to appropriate government authorities and to consumers," the attorney general's spokeswoman, Jaclyn Falkowski, said.

_10">

Penalties for failing to disclose breaches vary by state. Some have a maximum penalty for each attack and depend on how many people are affected. In Michigan, for example, fines can range up to $250 per failure and $750,000 per breach.

_11">

In 2011, health insurer WellPoint Inc agreed to pay Indiana $100,000 to settle a lawsuit the state attorney general filed under its data-breach notification law. WellPoint took months to notify consumers of a breach and failed to tell the attorney general, despite operating under a law that requires both "without unreasonable delay."

_12">

According to Patrick Fowler, another lawyer who advises companies on security breaches, some states allow consumers to file lawsuits for unreasonable delays, while others leave it to the attorney general.

_13">

The U.S. Securities and Exchange Commission issued guidelines in 2011 that public companies such as Target must follow in connection with cyber attacks. The SEC said the companies may need to tell investors if an attack occurred and its potential costs and other consequences.

_14">

Typically, the disclosures come in the company's next filing, whether it is a quarterly or annual report.

_15">

But since the SEC guidance came out, "companies have tended to include generic risk factors rather than disclose specific incidents," said Todd Hinnen, a former acting assistant attorney general at the U.S. Justice Department.

(Reporting by Karen Freifeld; Additional reporting by Ross Kerber and Jim Finkle in Boston; Editing by Eddie Evans and Steve Orlofsky)

Popular posts from this blog

Study Abroad USA, College of Charleston, Popular Courses, Alumni

Thinking for Study Abroad USA. School of Charleston, the wonderful grounds is situated in the actual middle of a verifiable city - Charleston. Get snatched up by the wonderful and customary engineering, beautiful pathways, or look at the advanced steel and glass building which houses the School of Business. The grounds additionally gives students simple admittance to a few major tech organizations like Amazon's CreateSpace, Google, TwitPic, and so on. The school offers students nearby as well as off-grounds convenience going from completely outfitted home lobbies to memorable homes. It is prepared to offer different types of assistance and facilities like clubs, associations, sporting exercises, support administrations, etc. To put it plainly, the school grounds is rising with energy and there will never be a dull second for students at the College of Charleston. Concentrate on Abroad USA is improving and remunerating for your future. The energetic grounds likewise houses various

Best MBA Online Colleges in the USA

“Opportunities never open, instead we create them for us”. Beginning with this amazing saying, let’s unbox today’s knowledge. Love Business and marketing? Want to make a high-paid career in business administration? Well, if yes, then mate, we have got you something amazing to do!   We all imagine an effortless future with a cozy house and a laptop. Well, well! You can make this happen. Today, with this guide, we will be exploring some of the top-notch online MBA universities and institutes in the USA. Let’s get started! Why learn Online MBA from the USA? Access to More Options This online era has given a second chance to children who want to reflect on their careers while managing their hectic schedules. In this, the internet has played a very crucial in rejuvenating schools, institutes, and colleges to give the best education to students across the globe. Graduating with Less Debt Regular classes from high reputed institutes often charge heavy tuition fees. However onl

Sickening moment maskless 'Karen' COUGHS in the face of grocery store customer, then claims she doesn't have to wear a mask because she 'isn't sick'

A woman was captured on camera following a customer through a supermarket as she coughs on her after claiming she does not need a mask because she is not sick.  Video of the incident, which has garnered hundreds of thousands of views on Twitter alone, allegedly took place in a Su per Saver in Lincoln, Nebraska according to Twitter user @davenewworld_2. In it, an unidentified woman was captured dramatically coughing as she smiles saying 'Excuse me! I'm coming through' in the direction of the customer recording her. Scroll down for video An unidentified woman was captured dramatically coughing as she smiles saying 'Excuse me! I'm coming through' in the direction of a woman recording her A woman was captured on camera following a customer as she coughs on her in a supermarket without a mask on claiming she does not need one because she is not sick @chaiteabugz #karen #covid #karens #karensgonewild #karensalert #masks we were just wearing a mask at the store. ¿ o