The national Data Privacy and Cybersecurity Practice at McDonald Hopkins has submitted a statement for the record to the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing and Trade during its recent examination of state breach notification laws and potential federal preemption.
According to the Privacy Rights Clearinghouse, more than 608,278,176 records have been reported compromised since 2005. Of course, many more have gone unreported, so this figure is probably three to five times higher. According to the Verizon 2013 Data Breach Investigations Report, 75 percent of the data breaches are of low or very low difficulty. Although the foreign hackings make the headlines, most data privacy incidents arise out of simply lost devices (laptops, USBs and smart phones). What is difficult for every organization, however, is attempting to comply with each of the 46 different state breach notification laws, as for most, they are confusing, therefore leading to under-reporting, failing to act or non-compliant notifications.
In our statement of record, we noted:
We are often told by our clients, “I’m just trying to run my business; all of this is very confusing and a huge distraction.” However, there are very good reasons that these various statutes are in place. Most critically, less than 40 percent of businesses actually have a plan in place to respond to a data privacy incident. Those that do have plans in place typically have insufficient and inadequate plans that barely scratch the surface. Without these statutes, organizations would be driving down the highway at their own pace, from 20 mph to 200 mph. There would be no parameters to provide even a minimal level of order or safety for the general public.
All states, with the exception of Alabama, Kentucky, New Mexico, and South Dakota have a unique breach notification law. In fact, many experts argue that Texas’s recently revised statute even covers the four states that do not currently have a breach notification law. The key to understanding these laws is that the residency of the affected individual governs which state breach notification law must be followed. It is irrelevant where the company is headquartered or where the device was stolen. Thus, in a majority of the standard data privacy incidents, it is typical that several state notification laws, and possibly one or more federal statutes, must be complied with.
Based on this information, McDonald Hopkins provided two primary recommendations to the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing and Trade:
- The need for uniformity. We urged the Subcommittee, however, that if it considers a federal breach notification statute to preempt the 46 state statutes, careful analysis of each of the 46 statutes must be conducted. The federal law would ideally implement the best provisions from each of the current state statutes in an effort to provide the citizens of this great Country the most protection possible, without being over burdensome on the organizations that are the engine of our economy.
- The need for preventive policies. We strongly encouraged the Subcommittee to examine information security laws which would require organizations that have access to, use or disclose personal information, to implement certain strict preventative policies. For example, proactive measures can include drafting of a Written Information Security Program and Incident Response Plan, conducting employee training, and audits of internal policies, as well as data privacy measures utilized by a third-party vendor. One-third of all breaches are the result of a vendor incident and not the company itself that significantly invested in the security of its system. A federal law should require organizations to implement proactive measures and policies to help minimize the risk of a data breach requiring notification.
McDonald Hopkins’ statement for the record will be published in coming months and forever preserved by the Clerk of the House of Representatives. Our input on this matter will provide Members of Congress with insight into the problem as it develops legislation to improve how our nation reports electronic data breaches.
For more information, please contact one of the attorneys listed below.