Revamped Data Breach Law Could Exclude Minor Attacks

Under newly prosed legislation as part of the data breach notification law Congress is looking to put in place, companies wouldn’t have to reveal minor cybersecurity breaches, The Wall Street Journal reported.

While the initial proposal cast a wider security scope over breaches, as it would require U.S. businesses to notify customers within 30 days after a confirmed data breach if their data might have been compromised by it, this new proposal would allow companies to determine if it’s worth notifying customers, depending on the scope of the breach. If there is reason to believe the breach would lead to identity theft or fraud, the companies are obligated to report the attack, but for breaches that are more low profile, the new bill would allow companies to keep the breach hidden.

According to a statement relayed on behalf of a spokesman for U.S. Rep. Marsha Blackburn (R—Tennessee), “too much notification undercuts the value of useful notification.” Blackburn was one of the sponsors of the proposed bill. Because the purpose of the bill is to protect consumers from ID theft and payment fraud, breaches that do not fall within that type of larger-scope breach would be able to be cast aside and dealt with by the company, Blackburn’s spokesman said.

Gerald Ferguson, a privacy attorney at Baker & Hostetler, told the WSJ that while the standard “would lead to less notifications,” it also opens up the gateway for companies to make their own decisions on data breaches. This could make the process more convoluted as he suggested that “when [companies] are starting to do a risk of harm analysis there is a lot of discretion.”

But that discretion may be good for the industry, said one technology law specialist, as it would enable companies to choose how, or when, they want to notify their customers. This could allow for companies to deal with the breach notifications in a lower profile manner so unnecessary fear is not created among consumers who may worry their personal information has been compromised.

“Companies would benefit from reduced demands on compliance functions,” Daren Orzechowski, a technology law specialist at White & Case, told WSJ. “It would allow companies to focus more on addressing the breach rather than running through volumes of statutes.”