Bookmark and Share Email this page Email Print this page Print Pin It
Feed Feed

Aug 18, 201502:22 PMLegal Login

with Mindi Giftos

Data breach wonderland: What's a business to do?

In February 2015, I reported with some optimism that the current U.S. Congress may actually pass a federal data breach notification law. But alas, in the dog days of summer, that optimism has waned and the likelihood of passing a federal law this year has significantly diminished. Concerns about the preemption of tougher state laws, vague security standards, and consumer privacy concerns have doomed federal efforts.

For the foreseeable future, businesses that collect any personally identifiable information (PII) from customers around the country will remain subject to the laws of 47 states, all of which have some type of data breach statutes. The challenge is those laws define PII differently, have varying notification requirements, and provide different remedies for customers who are harmed. Additionally, in the wake of recent highly publicized data breaches (Anthem, U.S. Office of Personnel Management, United Airlines) many states have amended their laws to add substantive security standards, procedures, and practices with which businesses must comply. For example, Rhode Island recently amended its law to require an entity that does business in the state and “stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information” about a Rhode Island resident to ensure that it implements “a risk based information security program” to protect the data it holds. In addition, the following six states have made significant revisions to their statutes: Nevada, Wyoming, Washington, North Dakota, Montana, and Oregon.

Most Wisconsin businesses that collect PII have already been facing the challenge of complying with 47 states’ notification requirements. More of these laws will be amended to add security standards, which will increase the compliance challenge. At the same time, the risks of consumer class action lawsuits continue to increase. In addition, Federal Trade Commission and state attorney general enforcement actions loom against businesses that fail to use reasonable security measures to protect customer PII.

So what is a business to do? First, follow the steps set out in my prior post, Data Security: Congress and Courts Step Into the Breach. In addition, check with your IT staff and consultants to determine whether the security measures implemented in your business meet certain published standards, such as those issued by the PCI Security Standards Council or the National Institute of Standards. If your business experiences a data breach and PII is compromised, the ability to validate that you have implemented a comprehensive security program that meets certain published standards would greatly reduce the likelihood that consumer claims of negligence or FTC fair or deceptive trade practice claims would succeed. Proactive review of your security program and consultation with technology experts on how to better secure customers’ PII, as well as consultation with legal advisers on how to minimize legal risks through a robust compliance program, will go far in demonstrating that your business has acted in a reasonable manner, positioning you to better defend any claims of negligence by customers, vendors, or regulators.

Gina Carter is a shareholder in the Madison office of Whyte Hirschboeck Dudek S.C., where she leads the Intellectual Property Counseling & Protection Team and is a member of the Technology Law Team. She regularly advises on and litigates data breach and other intellectual property matters. Ms. Carter can be reached at

Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.

Old to new | New to old
Feb 1, 2016 04:39 am
 Posted by  DanielCox

I like this read! The author is right talking that customer’s data is collected form the websites all over the world. It is good when it is done for statics and analysis, on the other hand it not very good when it is used for commercial tricks. That is why data security is important today. In my opinion, I think data room service is the best for this purpose.

Oct 26, 2016 01:44 am
 Posted by  Eli Cook

Truly I like your perspective is completely concurred and truly valued. trust will soon get notification from you on this theme once more. coincidentally, i was hunting down the most ideal approach to get assets for composing a paper on an assortment of point and simply surfing over the web and abruptly discovered your share. it was worth perusing and I truly made the most of your theme. well i want to peruse veritable substance and am sustaining my inadequate assignment. Really i was examining on this subject and was in the need of such a share on web.


Add your comment:
Bookmark and Share Email this page Email Print this page Print Pin It
Feed Feed

About This Blog

Mindi Giftos and her colleagues in Husch Blackwell’s Technology Law group handle a wide variety of issues related to emerging and established technologies, including intellectual property, development and licensing, commercial contracting, and corporate transactions across a broad range of industries.

Recent Posts



Atom Feed Subscribe to the Legal Login Feed »

Edit Module