IN A PERFECT WORLD if a company suffered a data or security breach or compromise, the company would have to notify only the customers it had in the state where the company was incorporated or was headquartered. Or, slightly more onerous, the company would notify all of its customers, but only according to the notification and disclosure law(s) (if any were in effect) within the state where the company was headquartered. The company would always disclose these infractions as it was in the best interest of both the company, by building good will with its customers, and good for the customers by making them aware of an untoward event that may make their financial life a bit less agreeable.
IN THE REAL WORLD of course this does not always happen if at all. In fact, as recently as 2003, before California SB 1386 (California Security Breach Information Act – the first of its kind) the facto procedures that companies followed if and when a breach occurred were generally up to the discretion of company management. And when did you ever remember receiving the kind of notification letters that you probably receive now a few times a year when a company either loses a laptop, backup tape, server, box of files, etc.?
As of this writing, there are 45 unique state breach notification laws that companies doing business in any more than one state must contend with. As my business associate Todd Ruback, a Privacy/Data Breach and Internet Attorney/CIPP at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, privacy/data breach and technology attorney at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer likes to remind me, there are still companies – and not just small ones – that mistakenly believe that you only have to company with the breach laws of your state, regardless of where your customer base resides. Not true!
If it wasn’t for these laws, most breaches, compromises, or data lost by companies would go unreported. Companies were always frightened that disclosing this information would cause customers to lose faith and confidence in the company’s ability to protect the sensitive information with which it was entrusted. And they had good reason to be afraid. Historically, consumers would abandon any company that showed a blatant disregard for the protection of its customer’s data. Today, probably due to the overall plunge in customer service quality, and the public’s general acceptance of this dismal state of affairs, breach notices received in the mail today are treated a lot less interest than receipt of the new Victoria’s Secret catalog. And that is a shame because as much you would like it to, a sexy new swim suit won’t change your life for the better. However, one of these notices telling you that your personal and sensitive information has been lost and is now in the ether somewhere, may just change your life for the worse.
No comments:
Post a Comment