Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

asnida marwani ©

Is a New Federal Standard for Breach Notification on the Horizon?

In the wake of the recent announcement by Equifax that an additional 2.4 million consumers had personal information stolen as part of the company’s massive data breach in 2017, a light is being shined on related legislation currently pending in the United States House of Representatives. Indeed, lawmakers are once again trying to codify nationwide standards on breach notifications and how data is handled and stored. It appears to be an uphill battle.

Time and again, such as immediately following the 2013 Target breach, members of Congress have attempted to clarify and improve data security requirements, but to no avail. Nevertheless, the current bipartisan bill (the “Data Acquisition and Technology Accountability and Security Act” or “DATAS Act”), introduced by Representative Blaine Luetkemeyer, a Missouri Republican, and Carolyn Maloney, a New York Democrat, is gaining some traction. Among other things, the proposed law seeks to establish a nationwide uniform breach notification regime and a federal security protocol on the handling of personal information. This is the good news. Unfortunately, however, the legislation, as crafted, would not apply to all industries or sectors.

In fact, financial institutions would be exempt from the law because, arguably, they already have to adhere to the privacy mandates of the 1999 Gramm-Leach-Bliley Act and the breach notification requirements of the Federal Deposit Insurance Corp. Of note, Equifax would fall under the category of exempt financial institutions because it collects sensitive financial information.

This does not sit well with many, including representatives of national retailers, who insist a national cybersecurity standard should apply across the board. It is suggested that financial firms should be subject to any new national standard because the Gramm-Leach-Bliley Act predates modern cybersecurity vulnerabilities. No surprise, the financial industry disagrees. And so, the tug-of-war continues in Congress, leaving businesses and consumers to wait and see if any headway is made on this topic of extreme importance.

In the absence of an accepted federal standard for breach notification, companies must follow an existing hodgepodge of notification laws in 48 states, some rather tough, others relatively lax. Confusing, to be sure. Significantly, the legislation now being debated in Congress, if passed, would preempt state law (likewise, it would be enforced by the Federal Trade Commission).

While the uniformity of a national breach notification law may seem attractive on the surface, some experts are concerned that the DATAS Act would weaken current state breach notification mandates, only requiring notice to consumers if the affected company “determines that there is a reasonable risk that the breach of data security has resulted or will result in identity theft, fraud, or economic loss” to consumers. In essence, a company could adopt a “wait and see,” “no harm, no foul” approach until after identity theft, fraud, or other economic loss is discovered before issuing a breach notification. This alarms consumer advocates, who contend that prompt notification to consumers is the best mechanism for stopping identity theft and fraud resulting from a breach.

Another aspect of the bill drawing both support and scrutiny is its requirement that covered entities “develop, implement, and maintain administrative, technical, and physical safeguards that are reasonably designed to protect the security and confidentiality of personal information . . .” This affirmative obligation to implement security measures is tempered by additional provisions, allowing the covered entity to adopt flexible defensive measures that are appropriate based on its size, complexity, scope of activities, cost of available tools, and sensitivity of the data it holds. Consumer advocates warn that, as evidenced by enforcement actions brought by the Federal Trade Commission against numerous companies for inadequate security measures, some companies may underestimate the safeguards required then withhold reporting resulting breaches until after economic harm has occurred. Also, under the DATAS Act, the FTC, which currently interprets inadequate cybersecurity that could potentially harm consumers as an “unfair and deceptive trade practice,” would be prohibited from applying such regulations against covered entities except in cases of violations of the DATAS Act.

Of course, we will notify you should nationwide standards on breach notifications become law. In the meantime, if you would like to improve your company’s cybersecurity program or you are faced with a data breach, or have any questions or concerns regarding cybersecurity or data privacy, the professionals at Michelman & Robinson, LLP are just an email or phone call away. Please feel free to contact Scott Lyon at or (714) 557-7990 with any questions.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.