Technology is a powerful thing. But it can also be very dangerous.
It’s advancing at a speed that gives businesses, small and large, a plethora of new opportunities to innovate and grow. However, it often outpaces the law.
Just ask Home Depot, which found itself navigating the choppy waters of data breach law after falling victim to a cyberattack in 2014.
At the annual National Association of Attorneys General (NAAG) Winter Meeting, Home Depot General Counsel Teresa Roseborough spoke of the difficulties unraveling the mystery of privacy compliance. She pointed out that the laws at play in data breaches are inconsistent and ambiguous, which make compliance a near impossibility.
There are legal inconsistencies on who should be notified first: the attorneys general, the consumers, or both at the same time. There are inconsistencies on how much, if any, information must be disclosed. There are even inconsistencies on the question of who handles the information: the attorney general’s office or some other agency.
Throw in the frantic pace of news reports and class action filings on top of a legal enigma, and you get an environment that puts business in a serious hole.
Tanya Madison, TD Bank’s chief privacy counsel who also spoke at NAAG’s meeting, outlined five issues that companies and governments must face when dealing with sensitive data and breaches:
- Technology’s high-speed evolution
- The changing definition of “personal information,” and liability associated with it
- The mishmash of inconsistent laws and industry standards and the use of vague “unfair and deceptive practices” (UDAP) laws
- A threat environment that grows more complex by the day
- The strained relationship between innovation, privacy, and security
If data holders must work with these issues, shouldn’t the law?
With so many different laws to comply with, businesses open themselves up to an incredible amount of unnecessary liability. As data becomes even more crucial to the evolution of modern business, state and federal governments need to adapt. There are a number of ways to accomplish this.
First, state data breach laws should be harmonized. This would simplify the compliance landscape across the country while also ensuring consumers are protected. A survey by polling firm Public Opinion Strategies commissioned by the U.S. Chamber Institute for Legal Reform shows the public strongly agrees. 86 percent of Americans say there should be a single standard for when and how to notify consumers when a company’s data has been breached.
Second, the weaponization of UDAP laws must be reined in. These vague laws were not written with privacy and data security in mind. It only makes sense to modernize them to prevent hungry plaintiffs’ lawyers from hammering businesses while giving their “clients” almost nothing.
Third, attorneys general offices across the country should be encouraged to meet and work with businesses BEFORE a breach occurs. These meetings would help both sides familiarize themselves with security measures and responsibility while also creating a proactive strategy to protect everyone involved.
Technology evolves. The law should too.