McDonald Hopkins submits statement for the record to a congressional committee regarding state data breach notification laws
Statement highlights the need for uniformity and preventive policies
Cleveland, Ohio (August 8, 2013) –The national Data Privacy and Cybersecurity Practice at McDonald Hopkins has submitted a statement for the record to the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing and Trade during its recent examination of state breach notification laws and potential federal preemption.
According to the Privacy Rights Clearinghouse, more than 608,278,176 records have been reported compromised since 2005. This does not include the many more that have gone unreported. According to the Verizon 2013 Data Breach Investigations Report, 75 percent of the data breaches are of low or very low difficulty. Although the foreign hackings make the headlines, most data privacy incidents arise out of simply lost devices (laptops, USBs and smart phones). What is difficult for every organization, however, is attempting to comply with each of the 46 different state breach notification laws, as for most, they are confusing, therefore leading to under-reporting, failing to act or non-compliant notifications.
“We are often told by our clients, ‘I’m just trying to run my business; all of this is very confusing and a huge distraction’,” said James Giszczak, Chair of McDonald Hopkins’ national Data Privacy and Cybersecurity practice. “However, there are very good reasons these various statutes are in place. Less than 40 percent of businesses actually have a plan in place to respond to a data privacy incident. Those that do have plans in place typically have insufficient and inadequate plans that barely scratch the surface. Without these statutes, organizations would be driving down the highway at their own pace, from 20 mph to 200 mph. There would be no parameters to provide even a minimal level of order or safety for the general public.”
All states, with the exception of Alabama, Kentucky, New Mexico, and South Dakota have a unique breach notification law. In fact, many experts argue that Texas’s recently revised statute even covers the four states that do not currently have a breach notification law. The key to understanding these laws is that the residency of the affected individual governs which state breach notification law must be followed. It is irrelevant where the company is headquartered or where the device was stolen. Thus, in a majority of the standard data privacy incidents, it is typical that several state notification laws, and possibly one or more federal statutes, must be complied with.
Based on this information, McDonald Hopkins provided two primary recommendations to the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing and Trade:
The need for uniformity. McDonald Hopkins urged the Subcommittee, however, that if it considers a federal breach notification statute to preempt the 46 state statutes, careful analysis of each of the 46 statutes must be conducted. The federal law would ideally implement the best provisions from each of the current state statutes in an effort to provide the citizens of this great Country the most protection possible, without being over burdensome on the organizations that are the engine of our economy.
The need for preventive policies. McDonald Hopkins strongly encouraged the Subcommittee to examine information security laws which would require organizations that have access to, use or disclose personal information, to implement certain strict preventative policies. For example, proactive measures can include drafting of a Written Information Security Program and Incident Response Plan, conducting employee training, and audits of internal policies, as well as data privacy measures utilized by a third-party vendor. One-third of all breaches are the result of a vendor incident and not the company itself that significantly invested in the security of its system. A federal law should require organizations to implement proactive measures and policies to help minimize the risk of a data breach requiring notification.
McDonald Hopkins’ statement for the record will be published in coming months and forever preserved by the Clerk of the House of Representatives. The firm’s input on this matter will provide Members of Congress with insight into the problem as it develops legislation to improve how organizations manage and report data breaches.
For more information, please contact James Giszczak at firstname.lastname@example.org
or Dominic Paluzzi at email@example.com
About McDonald Hopkins
McDonald Hopkins is a business advisory and advocacy law firm with offices in Chicago, Cleveland, Columbus, Detroit, Miami, and West Palm Beach. In January 2013, McDonald Hopkins launched a new subsidiary based in Washington, D.C., McDonald Hopkins Government Strategies LLC, led by former Congressman Steven LaTourette. McDonald Hopkins Government Strategies is not a law firm and does not provide legal services. For more information about McDonald Hopkins, visit mcdonaldhopkins.com.