All 50 U.S. states have data breach notification laws; the first was enacted 18 years ago in California. Pennsylvania’s Breach of Personal Information Notification Act is more than 15 years old. And, ever since, data breach notices have been headlining newspapers (and appearing in recipients’ mailboxes). A business leader would be hard-pressed to ignore that all U.S. states and most international jurisdictions have laws that trigger notification obligations in the wake of data security incidents.
A dirty secret, nonetheless, is that many organizations indifferently fail or deliberately avoid notifying customers of a breach of personally identifiable information. A 2017 paper studying the economics of information security concluded that more than 60% of U.S. data breaches go unreported. The cleverly titled study, “Estimating the Size of the Iceberg from Its Tip: An investigation into unreported data breach notifications” by Fabio Bisogni, et al.) clearly explains several reasons for such nonreporting:
- Many companies fail to even detect the incident or lack logs sufficient to establish that it resulted in unauthorized access to personal information.
- Some state laws permit companies to forego notification if they find little risk of harm to the affected persons.
- And, some companies simply decide not to notify and instead to bear the risk of private lawsuits, regulatory enforcement actions, and the potential of incurring significant reputational damage, later, in favor of the immediate savings of not having to pay for the notification process and the prospect that the incident may never become public.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]