State Notification Laws Apply to Yahoo's Data Breach, Give Much Leeway, Say Experts
One big question raised about Yahoo's revelation that a half-billion user accounts may have been compromised in a data breach dating back to 2014 (see 1609220046): Why did the company take so long to reveal the incident?
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
No federal law compels Yahoo to provide notice, said some experts interviewed Friday, but state data-breach notification laws would have required the company to divulge the theft in a more timely manner. Those laws are sometimes unclear, giving companies like Yahoo a lot of room to delay notification, they added. Yahoo didn't comment.
Most, if not all, state laws designed to protect the personal information of their own residents would have applied to Yahoo since it has account users from coast to coast, said Simone Petrella, chief cyberstrategy officer at CyberVista, which trains and educates corporate leadership and boards about cybersecurity. “That puts the burden on the company to actually sift through them and recognize which state is more protectionist towards their residents versus where it’s more corporately focused. It varies," she said.
State laws become "squishy" about when a company must actually report the incident, said Petrella. For instance, California's statute requires notice to consumers and the state's attorney general within 10 business days. But she said it's unclear if this is measured from when a company discovers the breach or when it's told about it by law enforcement or is based on some other factor. It could be further complicated, she said, if a law enforcement agency asks the notification be delayed so it won't impede an investigation, which some laws allow. Any corporate legal team is going to look at all the state laws and interpret what makes most sense for that firm because there's an "extreme incentive" not to disclose as quickly as possible, she said.
"Most cybersecurity, data privacy and identity protection laws are a mess," said Neal O’Farrell, executive director of the nonprofit Identity Theft Council, which helps victims. "They're a hodgepodge of state, federal, industry standards that are rarely enforced, and companies like Yahoo know that." He said he understands it's "incredibly difficult" for companies with a national or global footprint and millions of users to comply with all the various regulations, but not impossible. In Yahoo's case, nothing was stopping it from announcing the data breach 45 days after it discovered it, which he called a reasonable time. "That simply is corporate cowardice," he added.
Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands, as of January, have laws that require private, governmental or educational organizations to alert individuals when their personally identifiable information is breached, said the National Conference of State Legislatures website. But the patchwork of laws also could play to the benefit of companies. For instance, Petrella said California broadly defines personal information as anything that could identify an individual. But in New York and Delaware, personal information may constitute a name plus specific pieces of data such as a Social Security number, driver's license number or financial account information, she said. "So if you don't meet those standards under New York or Delaware, you don't have to disclose at all."
Heavily regulated industries like finance and healthcare also are required under some federal laws to report such incidents, but no federal law covers all organizations. The Obama administration and DOJ pushed for such uniform national legislation. The Center for Democracy and Technology last year compared data breach notification legislation introduced in the House and Senate. Only HR-2205 was advanced by the House Financial Services Committee.
Sens. Richard Blumenthal, D-Conn., and Mark Warner, D-Va., issued statements Thursday saying Congress needs to enact national legislation in response to the Yahoo breach. Warner said he was "troubled" that the breach occurred in 2014 but the public is hearing about it only now. The "long overdue" law would notify consumers in a more timely manner, he said. Blumenthal said "only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised." Petrella and O'Farrell said they weren't optimistic Congress would act on a national law.
Mark Skilton, an information systems professor at U.K.'s Warwick Business School, said Yahoo could suffer reputational failure, and the incident may affect Verizon's acquisition of the company (see 1607250016). But he pointed to a question of liability and whether the company will get fined. He said European data protection authorities may pursue complaints through the Department of Commerce or FTC via Privacy Shield, the new EU-U.S. framework designed to safeguard Europeans' data across the Atlantic. "Now that may happen in this case because clearly half a billion by anybody’s stretch of the imagination is really a large number," he said.