On June 9, 2011, Citigroup confirmed that its online banking platform Citi Account Online had suffered a data breach involving the names, credit card numbers, addresses, and email details of approximately 200,000 customers. While Citi has already notified the Office of the Comptroller of the Currency in accordance with FDIC Guidance, financial institutions responding to a breach must also comply with the breach notification laws of the individual states.
Citi is just the latest victim in a recent string of hacking attacks, with major companies like Sony, Epsilon, Michael’s Stores, Apple, and Google having suffered recent (and in some cases widely-publicized) breaches of their own. When a company suffers a data breach, they will often be faced with the complex task of complying with a multitude of different state laws providing divergent standards of breach notification. States often differ in how they define what type of personal information triggers notification, how long a company has to send notifications, and whether notifications must be sent to third parties (e.g., government agencies or consumer reporting agencies). Navigating the sea of 47 different state laws can be quite challenging for companies confronted with the task.
In May 2011, the White House proposed adoption of a federal data breach notification policy that would supersede the individual state laws. The policy would apply to for-profit and non-profit business entities engaged or affecting interstate commerce that use, access, transmit, store, dispose of, or collect sensitive personally identification information about more than 10,000 individuals during any 12-month period. Under the policy, entities would be required to report security breaches to the Federal Trade Commission (“FTC”) and to those individuals affected within 60 days — subject to a 30 day extension granted by the FTC to conduct further investigation — unless there is no reasonable risk of harm or fraud to the individuals.
In a hearing held before the Subcommittee on Commerce, Manufacturing, and Trade on the recent data breaches suffered by Sony and Epsilon, Congresswoman Bono Mack (R-CA) used the opportunity to highlight the growing need for a federal privacy law and a national standard for data breaches, noting that the breaches serve as a “reminder that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk.” It is anticipated that Mack will release her version of a federal breach notification bill next week. During the hearings, Sony and Epsilon also expressed their support for a national breach notification law. Epsilon General Counsel Jeanette Fitzgerald perhaps summed up the argument for national breach notification law best when she said, “[t]he current patchwork of individual state breach notification laws only serves to create confusion among consumers and businesses, and imposes unnecessary compliance costs.” Both the Department of Commerce’s Privacy Green Paper and its Cybersecurity Report also support a national breach notification standard.
This is not the first time we have seen attempts to nationalize data breach notification law. Senator Patrick Leahy (D-VT) has introduced legislation in 2005, 2007, 2009, and most recently again this month. Leahy’s latest version of the bill would require businesses and federal agencies to notify individuals by letter, telephone, or e-mail. Media notice would be required for those breaches involving at least 5,000 individuals, and the Secret Service would also need to be notified if the number exceeds 10,000. The bill requires notices be given “without unreasonable delay following discovery” of the breach.
Until some genuinely preemptive federal standard emerges, we are stuck with the ongoing “patchwork” of the 47 individual state laws. Reed Smith has helped advise a number of companies through data breaches, whether in providing notices, subsequent class action litigation, or for insurance recovery matters. We will be following this issue closely.