With today’s advanced technology data is routinely stored on computers and electronic databases. Gone are the days of paper records and billing practices. All too often clients, customers, and stockholders have no idea where or how this personal and financial information is being stored. This is especially true for online retailers and even brick-and-mortar businesses as customer information, personal information, financial information, and other data is amassed and stored. No longer does a thief have to gain physical entry into a business. Instead, a skilled hacker can gain instant access to sensitive information and steal money and data with nothing more than a computer and an internet connection. With a click of a mouse button, and from the comforts of their own home, hackers can obtain money and sensitive information from sources spanning the globe. No site or computer is entirely safe from this worldwide threat.
Data theft is a complicated and reoccurring problem that is difficult to control. As one breach is identified and addressed more crop up. It is a never ending problem that only compounds as time goes on and technology gets more advanced. Often these breaches and thefts go unannounced to customers, the general public, and even unsuspecting investors since very few reporting requirements are in place. All can be targets, yet few will ever know if they are victims.
One would think there are protections in place to address this very problem. However, instead of a coherently linked system of protection and notification, a confusing spider web of individual state reporting requirements exists for victims and even worse, a lax non-mandatory reporting requirement is in place for informing investors. Overall, the problem is a genuine lack of consistency and enforcement.
For years Congress has attempted to pass a federal data breach law requiring notification of victims when their data is compromised. The current version of this bill, The Data Security Breach and Notification Act of 2012, would replace the convoluted mess of individual state reporting laws and instead introduce a single unified system. It would require notifying victims of any data loss and also require notifying the Federal Bureau of Investigation (FBI) and the United States Secret Service if a predetermined quantity of data is lost. Failing to make the required notification could result in monetary punishment including a fine up to five hundred thousand dollars ($500,000). (See Note 1).
Similar legislation has failed to succeed due to fragmented state interests, disagreements over fines and thresholds, and a lack of overall support. Critics predict that the 2012 efforts will languish much like past attempts.
Addressing concerns of investors has fared little better. The Securities Exchange Commission (SEC) currently requires companies to report breaches that lead to “material risks” to investors. (See Note 2). There is only one small problem. The SEC requires notification yet allows companies to decide if they want to comply or not as it is non-mandatory and no actual enforcement or punishment is available. This lack of enforcement and punishment troubles investors as the very people making investment decisions may be relying on incomplete information released by the companies.
With current data breaches like those recently experienced by LinkedIn, eHarmony, the Wyndham Hotel, and many others, it appears that data theft is here to stay. Companies need to offer their clients protection using the best methods available and should provide best-industry practices for safeguarding personal and financial information as well as maintaining overall computer and database security. While it may tarnish a company’s image in the short term, the least these companies can do is to notify victims and investors. It is not asking too much considering it is these very same people getting their data stolen who ultimately fund these businesses and online enterprises. It is about time these companies return the favor…
For additional information please email Ian Friedman at firstname.lastname@example.org or visit www.faflegal.com.
1. Dan Kaplan, Four Senators Hope Time Is Right for Federal Data Breach Bill, SCMAGAZINE.COM (2012), http://www.scmagazine.com.
2. Associated Press, Senator Calls for Stricter Guidelines Requiring Corporations to Inform Investors of Cybercrime, WASHINGTONPOST.COM (2012), http://www.washingtonpost.com.