Data breach prevention and response are again at the forefront of the public consciousness with the recent news of a massive data breach by Yahoo. The call for federal breach notification legislation was revived by the FTC on September 27, 2016, five days after the Yahoo breach was announced. During testimony before the U.S. Senate Committee on Commerce, Science and Transportation, the FTC reiterated “its longstanding, bipartisan call for federal legislation that would (1) strengthen its existing data security authority and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach.” Just twelve days prior, John Carlin, assistant attorney general for national security at the Department of Justice, called for a unified federal breach notification law, referring to the existing spread of 47 state laws as “ridiculous.”
Yahoo reported the largest data breach to date, affecting at least 500 million user accounts. The tech giant is not alone in experiencing a significant data breach as many American companies have suffered high profile data breaches in the last couple years. In light of major hacking events becoming increasingly prevalent in the news, consumers, regulators and legislators alike are focusing more intently on data breach response and prevention standards. Earlier this year, the FTC reported receiving 490,220 identity theft complaints from consumers during 2015—a 47% year over year increase.
Past attempts at federal breach legislation have stalled. In January 2014, the Data Security Breach Notification Act of 2014 was introduced in the Senate but did not move past referral to a Senate subcommittee. The following year, President Obama addressed the FTC and announced the introduction of new federal data breach notification legislation, among other measures to protect individual privacy and guard against identity theft. The Personal Data Notification and Protection Act of 2015 was introduced in the House of Representatives two months later in March 2015, but it also did not move past subcommittee review.
Currently, data breach notification laws exist at the state level— with 47 states plus D.C. each having their own breach notification law. Thus companies storing the personal information of residents of multiple states—an increasingly common situation thanks to Internet commerce—may need to comply with dozens of separate breach notification standards in the event of a security incident.
It remains to be seen whether federal breach notification legislation will be enacted in the coming months or years. In the meanwhile, U.S. companies should understand that data breaches are here to stay—and will only become more prevalent. Accordingly, companies should be proactive in establishing functional policies to respond to a breach, and actively engage in table-top exercises to ensure they are ready to address breach incidents swiftly and appropriately.