Loyola University Chicago School of Law, JD 2017
Yahoo is just the latest company to have a major cyber security data breach. What is more troubling is how this data breach occurred about 2 years ago and only just now the public is being told about the incident. Was Yahoo in violation of legislation regarding disclosure of the cyber security data breach?
Last month, Yahoo announced the company was hacked in 2014 and information from at least 500 million user accounts was stolen. The data stolen included users’ names, email addresses, telephone numbers, dates of birth and encrypted passwords. Yahoo is not the only company to disclose a data breach in 2016 as LinkedIn and MySpace admitted they had been hacked back in 2012 and 2014, respectively.
So why are we just now hearing about these data breaches? Shouldn’t the public be made aware of the data breaches ASAP in order to take appropriate measures? Are these companies in violation of federal laws for failing to disclose in a quick and timely manner? Surprisingly, no.
Currently, there is no federal legislation stating when companies must disclose to the public about information involving data security breaches. Recently, there have been two proposed legislative acts, the Data Security Breach Notification Act of 2014 and the Personal Data Notification and Protection Act of 2015. However, both of these legislative pieces failed to pass. The SEC in 2011 informed publicly traded companies to report hacking incidents that could have a “material adverse effect on the business” but the term was never defined.
Interestingly, there are data breach notification laws that exist at the state levels. This means companies maintaining the information of multiple individuals from various states must comply with several state data breach notification standards.
While there are many other laws and regulations these companies must abide by, federal laws and regulations about disclosure of data breaches is virtually non-existent. Moreover, there is little legal incentive to comply with “guidelines” or state laws because there is no real enforcement. For example, the SEC has never acted against a company for failing to disclose a cyber security incident or potential threat. So long as the company discloses incidents that could have a “material adverse effect on the business”, the company satisfies the disclosure guidelines by the SEC.
So what should be done in a compliance department regarding these virtually non-existent data breach laws? Should company compliance departments wait until there is federal legislation with enforcement before addressing disclosure issues? I believe it would be a mistake for companies to ignore that these recent cyber data breaches could seriously lead to real federal legislation and enforcement sooner rather than later.
While it is difficult to formulate a compliance program surrounding federal legislation regarding disclosure of cyber data breaches because there are no laws, the companies could look to the disclosure laws in the states the companies conduct business in.
Depending on the laws in those states, compliance departments could preemptively develop a framework for potential federal data breach disclosure laws, specifically involving internal auditing and monitoring, training and educations, and implementing written policies and procedures. Companies may already have compliance programs to address the numerous state data breach laws and thus have an advantage. Nevertheless, with the increase in cyber data breaches, companies should prepare to address potential federal legislation regarding disclosure laws.