Data Breaches: Some Lessons

Some of our readers may have read about recent high profile data breaches, such as the one involving credit card information taken from many Barnes & Noble retail stores. Or they may have heard of the huge class action law suits against Sony which resulted from its handling of a 2011 incident involving hackers into the Sony Playstation network. In that case, the hackers accessed personal information including names, addresses, user names, passwords, and other personal information from about 77 million user accounts. And they may have read about the breach involving TD Bank, in which TD Bank misplaced in March 2012 computer back-up tapes containing personal information for 267,000 customers, but did not inform the affected customers and pertinent state authorities until seven months later, in October. Each of these instances brings to light some apparent misconceptions regarding the handling of data breaches.  

Myth 1: There is no law that requires action in the event of a data breach.

Fact 1: There is no federal law (aside from laws regarding specialized industries such as banking and health care) that requires a response. However, 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands require certain actions be taken in the event of a data breach regarding personal information, and each of these laws is different.

Myth 2: My company only needs to comply with the data breach laws of the states in which my company has an office or other physical presence.

Fact 2: A company is subject to the data breach laws of not only the states in which it has a physical presence but also the states in which it has customers.

Myth 3: I need only look at one state’s laws if there has been a data breach.