A decade of lawmaking by U.S. states to ensure consumers are told when their data has been hacked still lets companies such as Target Corp. wait weeks or even months to disclose security breaches.
Forty-six of 50 U.S. states have passed laws requiring disclosure, starting with California in 2002, but the laws vary in terms of when and how notice must be given, and most states allow for delays to investigate the intrusion.
Calls for federal action, including by the U.S. Federal Trade Commission, have gone unheeded by Congress. And guidelines to safeguard investors in public companies also do not give clear guidance on timing and do not require disclosures that would compromise a company’s cyber security.
Consumer advocates have criticized Target, where data from 40 million credit and debit cards and 70 million other records containing customer information was stolen. State attorneys general are probing the breach. Target says it acted quickly after taking defensive action.
“It’s a judgment call,” said Joseph DeMarco, a former head of the cyber crime unit at the U.S. Attorney’s office in Manhattan, citing the time it takes for companies to find out what happened. “A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose.”
Target, the third-largest U.S. retailer, said on Dec. 19 that hackers had stolen data from up to 40 million credit and debit cards of shoppers who visited its stores between Nov. 27 and Dec. 15. Chief Executive Gregg Steinhafel said that Target made its announcement four days after it “confirmed that we had an issue.” The retailer has not said when it first learned of the break-in.
Then, on Jan. 10, the company said the breach was bigger than initially thought: that hackers also stole personal information of 70 million customers.
Another retailer, Neiman Marcus, said last Friday that it was warned about a possible breach in mid-December and that an outside forensics firm confirmed the intrusion on Jan. 1.
Both the Target and Neiman Marcus breaches were first revealed publicly by an independent blogger. In addition, three other retailers suffered breaches during the holiday shopping season that have yet to be publicly disclosed, according to sources familiar with the attacks.
PATCHWORK OF LAWS
California was the first state to pass a law requiring disclosure of a hack, and its rules remain among the toughest. The state requires notification when unencrypted personal information is reasonably believed to have been taken by an unauthorized person. The notices must describe the information at risk, give the date of the intrusion, say whether the notice was delayed, and provide the name and contact information for the company.
Still, California’s statute gives some leeway. It demands disclosure in “the most expedient time possible and without unreasonable delay,” taking into consideration law enforcement needs and time for the company to restore the integrity of its system.
“The first order of business regardless of any state law is to plug the hole, protect the user and then worry about reporting,” said Albert Gidari, a lawyer who has helped companies deal with dozens of security breach investigations and issue notices to consumers.
Only a handful of states require notice by a specific deadline. Florida, Vermont and Wisconsin, for example, give entities 45 days from the date of discovery. But even those states allow exceptions, such as when disclosure could hinder a police investigation.
Some states require that consumers be notified once certain types of information are accessed without authorization, while a greater number let companies evaluate the risk of identity theft and other harm to consumers in deciding whether to notify.
Susan Lyon-Hintze, another lawyer who works with victimized companies, said it was risky to disclose too early, which would tip off hackers to investigations. “That can actually lead to more harm for consumers in the long run,” she said. “They’ll shut down their operations and move onto the next company.”
Jamie Court, president of Los Angeles-based public interest group Consumer Watchdog, said the timing of the Target and Neiman Marcus announcements raises questions about whether the retailers wrongly delayed telling consumers. He called on state attorneys general to look into whether companies failed to disclose their breaches to maintain sales over the holidays.
Target spokeswoman Molly Snyder said the company acted as quickly as it could. “As soon as we confirmed the point of access to our system, closed it and eliminated it, we moved swiftly through the notification process,” Snyder said in an email.
Ginger Reeder, a spokeswoman for Neiman Marcus, denied its disclosure timing was influenced by sales considerations.
Connecticut Attorney General George Jepsen, who is helping to lead a coalition of more than 30 states probing the Target attack and possibly others, may look into whether Target unreasonably delayed its announcement.
“One of the issues we look at in data breach investigations is the timeliness and adequacy of notification to appropriate government authorities and to consumers,” the attorney general’s spokeswoman, Jaclyn Falkowski, said.
Penalties for failing to disclose breaches vary by state. Some have a maximum penalty for each attack and depend on how many people are affected. In Michigan, for example, fines can range up to $250 per failure and $750,000 per breach. In 2011, health insurer WellPoint Inc. agreed to pay Indiana $100,000 to settle a lawsuit the state attorney general filed under its data-breach notification law. WellPoint took months to notify consumers of a breach and failed to tell the attorney general, despite operating under a law that requires both “without unreasonable delay.”
According to Patrick Fowler, another lawyer who advises companies on security breaches, some states allow consumers to file lawsuits for unreasonable delays, while others leave it to the attorney general.
The U.S. Securities and Exchange Commission issued guidelines in 2011 that public companies such as Target must follow in connection with cyber attacks. The SEC said the companies may need to tell investors if an attack occurred and its potential costs and other consequences. Typically, the disclosures come in the company’s next filing, whether it is a quarterly or annual report.
But since the SEC guidance came out, “companies have tended to include generic risk factors rather than disclose specific incidents,” said Todd Hinnen, a former acting assistant attorney general at the U.S. Justice Department.
(Reporting by Karen Freifeld; Additional reporting by Ross Kerber and Jim Finkle in Boston; Editing by Eddie Evans and Steve Orlofsky)