Shouldn’t a company have to tell you when it’s been hacked?

In this photo illustration, a virtual map of the internet is projected onto a woman in London. - 

Just a friendly reminder that the United States does not, at the time of this writing, have any kind of federal data breach notification laws on the books.

Such a law that would provide specific rules about what a company — let’s say, Equifax, Intel, Uber or Yahoo, just as a couple high-profile examples — has to do after a major hack, like how soon it needs to tell customers the hack occurred and how executives should behave when they find out there’s been a breach.

Why do we need such a law, you ask? Three reasons:

1. It would give customers time to freeze their credit or take other preventative measures if they find out their data has been compromised. Identity theft stemming from a breach might be preventable if people know what data has been accessed and are able to move fast.

And it would force companies to tell consumers that a breach happened. In the case of Uber, the company found out hackers stole 57 million customer records, but instead of notifying people, it paid $100,000 to the hackers to make the problem go away (it didn’t).

2. It would limit insider trading at companies that have been breached but either haven’t told all their executives or have executives who take advantage of a delay. When credit agency Equifax was hacked, affecting more than 145 million people, the company didn’t make the news public for weeks after it found out. But while the news was still under wraps, three Equifax employees sold up to $2 million worth of company stock.

And while Intel was getting its ducks in a row to tell its customers about the Spectre and Meltdown flaws affecting basically all of its products, CEO Brian Krzanich unloaded almost all his company stock, to the tune of $25 million.

3. And it would simplify a messy muddle of 48 state laws that make it hard for businesses to know when they’re in or out of compliance. Just in the last few weeks, retailers and even the banking industry are starting to ask for a consistent federal statute that would simplify things for everyone.  

Such laws have been proposed dating back to 2015, but have gone nowhere, and privacy experts say they’ve largely been weaker than state laws. (Fun fact: a law proposed in 2015 would have made data breach notifications mandatory for businesses, except financial institutions. It would have been voluntary for them.)

There are, however, signs of an increased appetite for regulation.

Senators Elizabeth Warren and Mark Warner are pushing a bill that would specifically affect credit reporting agencies and could fine them as much as half or even 75 percent of their operating revenue if they combine big customer data losses with lax security practices.

And this week, the Securities and Exchange Commission put into effect updated guidance that puts companies on notice that it considers security to be as important as electricity to publicly traded companies. For the first time, the SEC made it clear that it considers hacks and cybersecurity breaches to be material information — that means companies have to disclose it, and they can’t use the information for insider trading.

The guidance is technically nonbinding, but Michael Greenberger, a professor who studies securities law at the University of Maryland, said it’s nevertheless “a very big deal.”

“This really puts a fine point on this. Words are used to make clear we don’t view this as a problem of information technology,” he said. “We view this as a problem of the strength of operating the corporation.”

He also said the SEC could use the updated guidance to re-examine the stock sales by Krzanich or Equifax executives. And Greenberger said the guidance could prove to be a standard that even private companies would feel some pressure to follow.  

Also, even if the U.S. doesn’t enact any federal privacy or breach-notification laws, any company that also does business in Europe will have to start reporting data breaches anyway. The General Data Protection Regulation will force multinational companies to report breaches within 72 hours, and it’s backed by very large fines.

It’s possible that the European regulations will force large companies to come up with better plans for dealing with cybersecurity issues, and that those plans will trickle back to the U.S. in the event of a large-scale hack. But a little protection on this continent would also go a long way.

View Comments