#7 – Data Breach Over-Notification

What’s so iAWFUL?

Following high-profile hackings, states are rushing to pass new data breach notice laws.  But forcing businesses to issue broad and rushed notices could impede investigations.  And the quantity of notices will desensitize consumers to situations where a notice truly does merit their immediate attention.   Moreover, the divergence among state laws is creating an impossible patchwork for businesses that have customers in every state.

(CT SB949), (IL SB 1833/HB3188), (NV AB179), (OR SB601), (RI HB5220/SB134), (TX HB3478), (VT S73)

Consumers need to know when their information is compromised.  But new legislation that forces businesses to prematurely notify consumers can result in consumer over-notification.  Such over-notification de-sensitizes consumers to notices that truly require them to take action to protect their credit.

Some of the bills exclude financial or health data breaches which are precisely when the consumer should be notified. While others impose notification requirements on less sensitive information like a picture.

For example, the Illinois bill would make a data breach something as innocent as disclosing a birthdate. It also imposes stiff fines for such disclosure.

Connecticut’s SB 949 gives businesses only 24 hours to notify users or the businesses face stiff fines. But 1 day isn’t enough time to verify a breach even happened, let alone determine what data was acquired and which users were affected. This short time frame is sure to result in premature notifications and false alarm that are not in consumers’ best interests.

All too often, the first instinct is to attack businesses.  This ignores the reality that they too are victims of theft.

Finally, Vermont’s S73 would require businesses to collect more information about consumers in order to provide additional notices. So rather than using your preferred email account, online service providers would need a second email address, and perhaps even your phone number.

Today 47 state data breach laws already protect consumers, but these bills could end-up exposing consumers to greater privacy risks.

All too often, the first instinct is to attack businesses.  This ignores the reality that they too are victims of theft.  This is like blaming a bank for getting robbed or blaming a woman whose purse was snatched.  They are all victims.  But businesses and credit card companies already have financial incentives to protect consumers and their data.

For consumers, they are not responsible for fraudulent purchases on their credit card.  It’s businesses that pay when a fraudulent purchase is made.  This means that businesses and credit card companies have financial reasons to create secure systems and try to stay ahead of the thieves.

Today, online and offline businesses face a patchwork of state laws, Attorney’s General and consumer organizations that play by different and confusing rules.  We should not add new threads to this already complicated patchwork of state laws.  Instead, we should all work to stop the criminals.

Fortunately, Congress is heeding the call to clarify the confusion of 47 different state bills. While flaws exist, a new federal data breach standard introduced by Representatives Welch and Blackburn could solve the legal patchwork problem and provide the clarity we all need.

NetChoice in the News:


The iAWFUL reflects the editorial views of the Executive Director of NetChoice and does not necessarily reflect the views of all NetChoice members.

Back to iAwful list