Richard J. Sullivan and Jesse Leigh Maniff, of the the Federal Reserve Bank of Kansas City, recently penned an interesting article titled, “Data Breach Notification Laws.”
The authors noted that, “Data breaches, which expose sensitive data often used for payment fraud and identity theft, have recently worsened in the United States. Exposed records provide essential data for identity thieves, who in 2014 victimized 17.6 million people in the United States. As a consequence, policymakers are placing greater emphasis on procedures to protect consumers from harm.
“Breach notification laws are one such approach. Forty-seven state laws and some sector-specific federal laws already require organizations suffering a breach to disclose the incident and notify consumers if their data were exposed. In theory, breach notification laws serve two purposes important to public policy. First, they provide an incentive for organizations to protect sensitive data, as publicly disclosed security failures may harm their reputation and trigger costly remediation activities. Second, they inform individuals whose records were exposed, allowing them to react quickly to mitigate potential damages.”
The paper also stated that, “An organization’s legal duty to secure personal information can arise from tort law or legislation. In tort law, an organization may have a duty to protect its customers if the organization increases the foreseeable risk of harm from third-party criminals. If customers cannot prove this duty exists, they will be unable to satisfy a negligence claim against a breached organization. Even if customers prove this duty exists, they must then prove that the organization breached its duty, that the breach caused the harm, and that damages ensued. In previous cases, customers have had difficulty proving how they were harmed by the breach.
“To fill the gap, many state legislatures have enacted statutes affirming organizations’ legal duty to secure personal information and codifying potential consequences of their failure to do so. The most common way states have created this legal duty is by enacting data breach notification laws that require organizations to notify customers if a breach occurs. These laws have their foundation in environmental law’s ‘community right to know’ (CRTK) provisions.”
At the conclusion of the paper, the authors indicated that, “In this article, we present evidence of data breach notification laws’ ‘right to know’ effect through which increased disclosure of breaches is associated with reduced identity theft. We find states with provisions that signal active state enforcement have lower rates of identity theft. Likewise, states with provisions that provide incentives to organizations to comply with notification requirements have lower identity theft. Finally, states with a provision that exempts organizations from notification laws if they have internal policies to notify customers also have lower identity theft.”
In addition to implementing safeguards to protect customer data, business organizations that warehouse customer data should also be aware of the jurisdictional procedures and legal requirements that are in place in the event that a data breach occurs.
