Logo for print

Once More Unto the Breach, Dear Friends

White Collar Defense
Government Enforcement & Investigations
Litigation
Data Security & Privacy

Hey, you know what's weird? Besides Snuggies, I mean.

It’s this: there are 47 different state data breach laws in the United States. Seriously. 47! And most of them have some sort of provision that says that if a breach requires notification of their citizens, then you’re going to fall under their jurisdiction. Whoa nelly. Buckle up.

Data breaches are totally (“totes” for those of you born later than 2001) the rage right now. Pieces of malicious code float around the internet like butterflies, and while they may not sting like bees, they sting like whatever multimillion dollar forensic investigations, customer relief, and private lawsuit defenses feel like. So maybe like a bee the size of say, Toledo.

In most data breaches, some kind of personal identification information is exposed. Names, addresses, credit card numbers, social security numbers, account numbers, driver’s license numbers, and on and on and on. (Hot tip for companies: stop collecting information that you don’t really need! And another hot tip, right here.)

Every company is susceptible to data breaches. It doesn’t matter what industry you’re in: entertainment, retail merchandise, hospitality, cloud computing, the government … it’s all fair game. All that it takes is a momentary lapse in security, an outdated patch, clicking on that ad that says, “I lost 52 pounds with this one weird secret that doctors don’t want you to know about,” and crack! There’s a breach. Then the fun begins.

And by “fun,” I mean “not at all fun.” What’s the opposite of fun? C-SPAN? Yes. Then that’s what I mean.

Because remember what I said about 47 different state laws? Well, that doesn’t even include the data breach laws in District of Columbia, Guam, Puerto Rico, or the Virgin Islands. Just try to think of a company that doesn’t have multi-state operations these days. Go on, I’ll give you a minute. Think of it this way: does it have a website? Most likely, yes. And that means that it will reach wherever the internet goes (even Detroit!) and probably fall under the data breach laws in any state in which it conducts business.

That’s all well and good if the state laws were the same. But they’re not. Sure, every state requires that you notify the affected consumers. But that’s basically the end of commonalities: in Texas, for example, a company also needs to notify the consumer reporting agencies if the breach affects in excess of 10,000 people. Some states want you to tell the consumers how many people were affected. Not Massachusetts though. And if some of those people are in Hawaii, or New York, or Louisiana,  then you need to notify their respective Attorney General’s offices. Get all that? Did you do all that? But wait … did you find a consumer who needed notification in Missouri? Then back it up, boss, because you needed to have notified the state of Missouri before you sent out your first notice to any consumer. Montana doesn’t have a state law (yet), but that’s okay, since Texas law tells you what to do for that Montana customer. And apparently Vermont’s agencies don’t talk to each other because you have to notify a couple of them at once. Same with Maine, New Hampshire, New York, Massachusetts, and Connecticut. (Bless yer lil ol’ heart, agencies in the South must be a little more neighborly, y’all!)

Once you’re done with that, you should think about the nine United States federal privacy laws with fourteen federal regulations that come from agencies like the FCC, FTC, SEC, DHS, IRS, FDA, and others, and uh-oh I’ve just gone cross-eyed. A-B-C – it’s not nearly as easy as 1-2-3!

It’s okay if you need to sit down for a minute to take all that in. Of course, while you wait, hackers are coming up with new and improved ways to steal your stuff. Want to race? Congress versus hackers … and go!

Bottom line: This is all just about as ridiculous as eggplant. (Some of you may like eggplant, I get it. But you know that old saying, “the road to hell is paved with good intentions”? Well, it’s also littered with eggplant and okra, too. I’m just saying. Horrible things. Anyway, where was I again? Right! Data breaches!) There is just no way that this patchwork quilt of crummy and confusing laws makes any sense in a day and age where everything is interconnected and state borders mean so little.

Unfortunately, there’s not really a fix for this yet. So in the event of a data breach, there’s not a lot you can do about the patchwork quilt except to wait for Congressional action (which, to do so, would test even the patience of Mother Theresa). So instead, your toolbox has to include a good lawyer who understands these laws, a good forensics firm that can figure out what happened, and maybe even a good public relations shop to help communicate with the outside world.

Or alternatively, trade the internet for a typewriter and an abacus. You can always look for cat videos on C-SPAN instead.