Under proposed legislation that has been introduced to Congress in recent months, U.S. companies would be empowered to decide whether to alert their customers in the event of a data breach. According to an article published by the Wall Street Journal, the legislation would limit the need for companies to notify their customers of a security incident only in instances where they are at risk of serious identity theft or fraud. These federal legislative measures would override state notification laws, many of which require that companies alert their customers in the event of any type of security breach. Gerald Ferguson a privacy attorney at Baker & Hostetler LLP who counsels companies on how to handle breaches, believes these new laws would grant companies additional time to conduct harm analyses of an incident.
“When you are starting to do a risk of harm analysis there’s is a lot of discretion,” Ferguson told WSJ.
Additionally, advocates of the legislation feel that companies would not need to send out as many notifications, which could save them millions of dollars. The costs of a data breach are all ready high. As of this writing, Target is nearing a $20 million settlement with MasterCard to reimburse them for the costs they incurred as a result of a data
breach it suffered in 2013. This is in addition to the $10 million agreement the company announced back in March that will settle a breach-related class-action lawsuit. These figures mirror the fact that the cost of restoring and protecting an account compromised by a security incident has risen from USD 136 in 2013 to USD 145, according to a report issued by the Ponemon Insitute. Despite the benefits, some are wary about granting companies the ability to decide in the best interest of their customers should they experience a data breach. Others feel that the legislation, especially the Data Security and Breach Notification Act of 2015, would remove a number of data breach protection measures currently provided by state laws. These legislative acts are currently awaiting deliberation in both chambers of Congress.
