State data breach notification law mishmash would get worse with proposed NC and SD legislation — is instant notification by clairvoyant next?

electrical-cable-mess-2654084_1920The push for a single uniform national data breach notification law gained strength in the wake of the Equifax breach. Now proposed legislation in North Carolina would amend its law in a way that would add momentum to this push. And, now South Dakota is tired of being one of only two states without a breach notification law and wants to abandon Alabama and join the other 48 states by getting a law of its own.

See Why Do Data Breach Disclosures Take So Long? Let’s Ask the SEC Chairman

North Carolina, in a never-ending race to see which state can come up with the most impractical breach notification law, has proposed legislation that would (1) now requiring that companies notify consumers and the state Attorney General of data breaches within 15 days; and (2) adopt the HHS’ view under HIPAA that a ransomware attack is a data breach that requires notification and reporting. You can read more details about the new law here, but this is enough to help you see why even this Texan believes we need a federal breach notification law in place before some state requires instantaneous notification of consumers by a clairvoyant.

South Dakota’s proposed legislation is at least generally consistent with the existing laws of many of the other 48 states. It would require companies to notify its residents whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person, within 45 days from the discovery or notification of the breach. Breaches affecting more than 250 of its residents would require notifying the state’s Attorney General as well. You can read more details about the proposed law here.

Under the proposed laws for both the North Carolina and South Dakota, the failure to comply with the breach notification requirements would be a violation of the respective states’ deceptive trade practices laws.


Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.


National data breach notification law proposed by Senate Commerce Committee members (includes jail?)

Three Democratic senators introduced legislation Thursday requiring companies to notify customers of data breaches within 30 days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches.

Why do data breach disclosures often take too long? Let’s ask the SEC Chairman.

In the wake of the Equifax and Securities and Exchange Commission’s data breach disclosures, there has been a lot of public outcry over the assertion that it took too long to disclose these data breaches to the public. “Too long” is a relative term, to start with, as I have little doubt that some people will see anything shy of instantaneous disclosure via clairvoyant transmission as taking to too long. But as for the rest of us, it is important to consider why it often takes what appears to be too long for a company (or agency) to disclose a data breach to the public.

In my role as an attorney who has guided many companies through this data breach incident response process, I can tell you from firsthand experience that the most common reason is the company just does not know enough of the facts to justify telling people that their personal information has been compromised when it really does not know whether it has or has not been.

Data breaches do not present themselves to the company with a neat little bow and calling card that says, “Guess what? You have a data breach! On X date, Hacker X accessed your network, took PII records of the following individuals and intends to sell them on the DarkNet. Now go alert the public.”

Instead, data breaches usually start as some anomalous computer event that is detected, gets someone’s attention, and is then looked into to see whether the event is something more, like an incident. But even if it is an incident, that doesn’t mean it’s a data breach. And, just because there is an intrusion (i.e., unauthorized access) to the company’s network does not mean it’s a data breach. It takes time, effort, and good forensics in most cases to determine whether a data breach has actually occurred and, if so, who and what data was affected. If companies notified the public of a “data breach” every time they had an incident or intrusion in their network, it would be a steady stream of notifications and the public would simply ignore them (even more). (Read more about this in my Guide to Responding to Data Breaches: Understanding Data Breach Foundations)

Of the difficulty and subjectivity that goes into balancing these interests and making this determination, the Chairman of the SEC put it very well: “You don’t want to make disclosures that are misleading.” In the case of the SEC’s own breach, he decided it was time to make the disclosure after the SEC had turned up all of the facts that it was going to get before completing its investigation. (SEC Chairman Feels Bipartisan Heat On Breach Disclosure – Law360)

While it’s fun and cool to jump on the bandwagon of companies taking too long to disclose data breaches, we have to be honest with ourselves and ask what we really want companies to do. Are they supposed to willy-nilly alert the public of a potential compromise of their personal data every time they suspect the slightest little thing could have occurred? Is that really what we want? And, in doing so, are they to then risk providing false or misleading information to the public because they are making statements based on nothing more than fear and a hunch?


Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Key Points of Delaware’s New Data Breach Notification Law

Delaware recently amended its data breach notification law to include the following requirements:

  • Expanded definition of “personal information” to include biometric data, medical information, passport numbers, routing numbers for accounts, individual taxpayer identification numbers and usernames in addition to the traditional forms of PII such as birth date and social security numbers.
  • Notice to affected individuals within 60 days.
  • Notice to the Delaware Attorney General if the breach affects more than 500 residents of Delaware.
  • Provide one year of free identity theft protection services in breaches where Social Security numbers were compromised (joining CA and CT).

Companies are not required to notify individuals if, after an appropriate investigation (i.e., performing a risk assessment), the company reasonable determines there is no risk of harm to the individuals.

On the cybersecurity side of things, the new law requires companies to “implement and maintain reasonable security” to protect the information a company collects and holds for Delaware residents.

The effective date of the new law is April 14, 2018.

National data breach notification law pros and cons? What do you think?

What are the pros and cons of a national breach notification law?

That is the topic of a discussion among Chief Information Security Officers that I will be moderating for the National Technology Security Coalition (NTSC) CISO Policy Roundtable tomorrow (4/3/17). My goal is to keep my own comments to a minimum, ask good questions, and let the CISOs share their real-world knowledge.

Comments are open so please share your thoughts on this issue. Specifically,

  • What are the questions that need to be asked to facilitate this discussion?
  • What are the critical points that need to be made?


Here are a few resources that I found helpful in my research on this issue: