Data breach wonderland: What's a business to do?
In February 2015, I reported with some optimism that the current U.S. Congress may actually pass a federal data breach notification law. But alas, in the dog days of summer, that optimism has waned and the likelihood of passing a federal law this year has significantly diminished. Concerns about the preemption of tougher state laws, vague security standards, and consumer privacy concerns have doomed federal efforts.
For the foreseeable future, businesses that collect any personally identifiable information (PII) from customers around the country will remain subject to the laws of 47 states, all of which have some type of data breach statutes. The challenge is those laws define PII differently, have varying notification requirements, and provide different remedies for customers who are harmed. Additionally, in the wake of recent highly publicized data breaches (Anthem, U.S. Office of Personnel Management, United Airlines) many states have amended their laws to add substantive security standards, procedures, and practices with which businesses must comply. For example, Rhode Island recently amended its law to require an entity that does business in the state and “stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information” about a Rhode Island resident to ensure that it implements “a risk based information security program” to protect the data it holds. In addition, the following six states have made significant revisions to their statutes: Nevada, Wyoming, Washington, North Dakota, Montana, and Oregon.
Most Wisconsin businesses that collect PII have already been facing the challenge of complying with 47 states’ notification requirements. More of these laws will be amended to add security standards, which will increase the compliance challenge. At the same time, the risks of consumer class action lawsuits continue to increase. In addition, Federal Trade Commission and state attorney general enforcement actions loom against businesses that fail to use reasonable security measures to protect customer PII.
So what is a business to do? First, follow the steps set out in my prior post, Data Security: Congress and Courts Step Into the Breach. In addition, check with your IT staff and consultants to determine whether the security measures implemented in your business meet certain published standards, such as those issued by the PCI Security Standards Council or the National Institute of Standards. If your business experiences a data breach and PII is compromised, the ability to validate that you have implemented a comprehensive security program that meets certain published standards would greatly reduce the likelihood that consumer claims of negligence or FTC fair or deceptive trade practice claims would succeed. Proactive review of your security program and consultation with technology experts on how to better secure customers’ PII, as well as consultation with legal advisers on how to minimize legal risks through a robust compliance program, will go far in demonstrating that your business has acted in a reasonable manner, positioning you to better defend any claims of negligence by customers, vendors, or regulators.
Gina Carter is a shareholder in the Madison office of Whyte Hirschboeck Dudek S.C., where she leads the Intellectual Property Counseling & Protection Team and is a member of the Technology Law Team. She regularly advises on and litigates data breach and other intellectual property matters. Ms. Carter can be reached at firstname.lastname@example.org.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.