By FOCUS, a Leonine Business
In 2016, a security vulnerability in the popular ride-sharing app Uber led to the personal information of 57 million of the company’s drivers and users being stolen by hackers. Instead of disclosing the hack to the public and authorities, the company stayed silent on the issue, instead choosing to pay a $100,000 ransom in exchange for the hackers deleting the data they had acquired through a flaw in the company’s network security, according to The New York Times.
The incident was not disclosed to the public until November 2017, coming just on the heels of the highly-publicized data breach of consumer credit reporting agency Equifax, which saw the personal data of 143 million Americans compromised – nearly half the population of the U.S.
The backlash against both companies was swift and intense. Uber is facing at least four lawsuits over the alleged cover-up, according to The Washington Post, alongside separate investigations by the attorneys general of Connecticut, Illinois, Massachusetts, Missouri and New York. Equifax is facing similar lawsuits, and has even prompted a new type of state legislation seeking to prohibit companies from charging fees for credit freezes in the wake of a breach.
While disclosure of security breaches is not a new topic to state lawmakers – California enacted the first security breach bill in 2002 – many are concerned enough with the increasing frequency of such breaches and are responding by stepping up and redoubling their efforts, introducing a slew of legislation aimed at ensuring the proper protection of personal information by state agencies, educational institutions and private companies.
Data breach legislation typically follows a standard format: the laws generally require a company that has been the target of a breach to notify the proper authorities within a specified time frame if any sensitive personal information has been compromised. Penalties for failure to comply with the requirements of these laws often result in significant financial penalties for the companies involved, in addition to the negative PR and threat of litigation already associated with a breach.
Across states, however, the specific content of these often differs; states may require notification to different state and federal authorities, require notification in shorter or greater periods of time, and the exact definition of personal information often varies. Trying to find the proper balance between these elements is often a difficult process for lawmakers.
In 2017, New Mexico became the most recent state to enact a security breach notification bill, making it the 48th state with such a law on the books. Alabama and South Dakota remain the only two holdouts where such security breaches do not require notification, according to NCSL. To date, security breach legislation has been introduced or prefiled in at least 35 states during the 2017-2018 legislative sessions, a number certain to increase as the sessions continue to move on and compromises are made.