' Will federal legislation make consumers’ private information safer? | MTTLR

Will federal legislation make consumers’ private information safer?

After JP Morgan’s computers were penetrated in the early summer of 2014 by hackers, exposing the personal information of the firm’s customers, the firm did not disclose the breach until late in the summer.[1] Over 76 million customers’ contact information—phone numbers and email addresses—were stolen.[2] The Connecticut and Illinois Attorney Generals started scrutinizing JP Morgan’s delayed notification to their customers that their contact information was obtained by hackers, taking issue with the fact that JP Morgan “only revealed…limited details” about the extent of the breach.[3] Both attorneys general are assessing whether JP Morgan complied with their state privacy laws—mainly their state’s data breach notification laws. With the size of JP Morgan and with 76 million customer information breached, it is safe to assume that residents of Connecticut and Illinois were not the only ones whose personal information was compromised.

Data breach has become a big issue not only for JP Morgan, but for many other companies. The same hackers who breached JP Morgan’s security wall attempted to get customer data from Deutsche Bank, Bank of America, Fidelity and other financial institutions.[4] Hackers breached Target and Home Depot’s customer credit information, taking 40 million of Targets’ customer credit card information and 56 million of Home Depot’s customer credit card information.[5] Data breach and data lost seem to be inevitable, whether it is through someone working internally for an organization—à la Edward Snowden—or through hackers— like in the case of JP Morgan, Home Depot and Target. Regardless of how data is lost, there is a need to evaluate the best approach in notify a consumer when someone else obtain a consumer’s personal information.[6]

The matter is made worse since states have varying definitions of what personal information is, and vary in their definitions of the circumstance that might trigger notification and the method in which a breach must be notified.[7] Some states don’t have a timeline in which a company must notify its customers.[8] And when they do have a timeline, it tends to be vague.[9] It took Target three weeks to notify its customers that their customer’s personal data was breached.[10] The matter is made worse since there is no commonplace federal data breach notification law.[11] Big companies like JP Morgan, who are more likely to be targets of hackers, operate in almost all 50 state, and when their customer’s personal data is breached, they have to deal with each state’s data breach laws state-by-state.[12]

As a result, some advocate for the need of a federal data breach law.[13] There’s an assumption that a federal response to data notification would be better than a state by state response. California’s attorney general is currently suing the Kaiser Foundation Health Plan because it took the health plan 5 months to notify its customers about a breach.[14] It may not take long until other attorneys general start scrutinizing Kaiser. Some of Target’s customers in various states are suing Target for its data breach notification as well.[15]

However, a federal response to data breach notification may not be panacea that some advocate. Legislating is a murky process—even murkier when there’s not much precedent to work with. Data breach, at least the digital kind, is relatively new phenomenon. While various states have their own laws on data breach notification, it is not clear which state(s) have the best process. If a federal notification law is enacted, the standards may be less than what some states currently have. A federal response may serve as a way for companies to absolve themselves from data breach notification. Though the state-by-state approach may be cumbersome, a state-by-state approach in the end will provide a better result as issues are litigated out in public and judges learn about best practices in each state. As cases are litigated in court, states will naturally learn from each other. This organic process is may be more likely to produce a better result than a top-down federal process. [16]

[1] Michael Corkery, Jessica Silver-Greenberg and David E. Sanger, Obama Had Security Fears on JPMorgan Data Breach, N.Y. Times (Oct. 8, 2014), http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/.

[2] Id.

[3] Emily Glazer and AnnaMaria Andriotis, J.P. Morgan Data Breach Draws Scrutiny From State Attorneys General, Wall St. J. (Oct. 4, 2014), http://online.wsj.com/articles/j-p-morgan-data-breach-draws-scrutiny-from-state-attorneys-general-1412376500.

[4] See Corkery, supra note 1.

[5] Robin Sidel, Home Depot’s 56 Million Card Breach Bigger Than Target’s, Wall St. J. (Sept. 18, 2014), http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571.

[6]Delays revealing data breaches costly: Like JPMorgan, industry practice is hide evidence, JOURNALGAZETTE.COM (Sept. 1, 2014), http://www.journalgazette.net/article/20140901/BIZ/309019956

[7] Reid J. Schar & Kathleen W. Gibbons, Complicated Compliance: State Data Breach Notification Laws, Privacy & Security Law Report, BLOOMBERG (Aug. 9, 2013), http://www.bna.com/complicated-compliance-state-data-breach-notification-laws/.

[8] Kelli B. Grant, Why did Target take so long to report the breach?, CNBC (Dec. 20, 2013), http://www.cnbc.com/id/101287567#

[9] See Luis J. Diaz and Caroline E. Oks, When Fast Is Too Slow: Notification Compliance Following Target’s Data Breach, The Metropolitan Corp. Couns. (Jan. 16, 2014), http://www.metrocorpcounsel.com/articles/27002/when-fast-too-slow-notification-compliance-following-target%E2%80%99s-data-breach#_ftn2

[10] Grant, supra note 8; See Gregg Steinhafel, a message from CEO Gregg Steinhafel about Target’s payment card issues, Target.com, (Dec. 20, 2013), available at https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca.

[11] See Judy Greenwald, Federal data breach notification law could simplify process, BUSINESS INSURANCE (Oct 24, 2014), http://www.businessinsurance.com/article/99999999/NEWS070101/399999850

[12] With the exception of Alabama, Kentucky, New Mexico and South Dakota, every state as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands has enacted legislation requiring notification of security breaches involving personal information. See Schar, supra note 7.

[13] See Jill Joerling, Data Breach Notification Laws: An Argument for A Comprehensive Federal Law to Protect Consumer Data, 32 Wash. U. J.L. & Pol’y 467, 468 (2010); see also Jacqueline May Tom, A Simple Compromise: The Need for A Federal Data Breach Notification Law, 84 St. John’s L. Rev. 1569 (2010).

[14] David Navetta, California Attorney General Files Lawsuit Based on Late Breach Notification, INFORMATION LAWGROUP (Jan. 30, 2014), http://www.infolawgroup.com/2014/01/articles/breach-notice/california-attorney-general-files-lawsuit-based-on-late-breach-notification/.

[15] See Diaz, supra note 9.

[16] See Flora J. Garcia, Data Protection, Breach Notification, and the Interplay Between State and Federal Law: The Experiments Need More Time, 17 Fordham Intell. Prop. Media & Ent. L.J. 693, 697 (2007); see also Brandon Faulkner, Hacking into Data Breach Notification Laws, 59 Fla. L. Rev. 1097 (2007).


Samuel Edandison is an editor on the Michigan Telecommunications and Technology Law Review, and a member of the University  Michigan Law School class of 2016.

Submit a Comment

Your email address will not be published. Required fields are marked *