The latest data breach was a big one. Hackers got into JPMorgan’s computer network, and the bank says that has put 76 million households and 7 million small businesses at risk.
Because it is a public company, JPMorgan is required by law to tell federal regulators about anything that could affect its share price, and that is what it did. JPMorgan notified the Securities and Exchange Commission last Thursday. But other companies don’t have to notify the government when their servers get hit.
When it comes to data breaches, the U.S. has a confusing patchwork of laws. It may surprise you there is no overarching federal law.
“From the very beginning of digital technologies and the Internet, the federal government took the view of ‘keep its hands off,’” says Fred H. Cate, who heads the Center for Applied Cybersecurity Research at Indiana University.
So, the states stepped in. California was the first to pass a data breach notification law. It has been on the books there since 2003. Forty-six states followed, along with Puerto Rico and the District of Columbia, and each one has a different law with different requirements.
“I think that everyone assumed that once you got a bunch of conflicting state laws, congress would step in and provide some clarity by providing a single federal law,” says Cate.
That hasn’t happened. Proposals have been held up in Congress, and an executive order President Barack Obama signed last year is voluntary.
Tina Ayiotis, who teaches law at The George Washington University, says after a string of high-profile attacks at Home Depot, Target and JPMorgan, we are starting to suffer from “breach fatigue.”
“At this point, the pain is not enough to really make it so that it becomes a priority,” she says.
What could change that, says David W. Opderbeck, a professor at Seton Hall University School of Law, is a cyber-attack on infrastructure, “like a power grid or a water supply, or the markets shut down for a few days.”
“When that kind of thing happens, then maybe we’ll see some action,” he says.
Until then, the action continues to be at the state level, keeping lawyers, consultants and compliance officers busy, and consumers confused.