You might think that retailers have to let you know right away if they get hacked and someone steals your account information.
But recent disclosures by Target and Neiman Marcus that their networks were hacked, and data about their consumers was stolen, have raised questions about how quickly merchants need to alert their customers.
In the case of Neiman Marcus, the company may have had evidence of a breach as far back as July. But the law is a bit murky on just how quickly companies need to let them know.
“This is much more complex than what you might think,” says Peter Guffin, an attorney who specializes in privacy and data. He says there’s a patchwork quilt of laws that make these disclosure rules complex.
“You’ve got 46 states, I believe, at last count who actually have their own notions of data breach notification,” he says.
States vary in how much they require retailers to inform consumers about breaches. Some states say companies don’t have to alert consumers unless there is a real “risk of harm.” Guffin says the only place they tend to agree is that “most states want you to be notifying affected individuals as expeditiously as reasonably possible.”
But consumer advocates point to a big exception to this rule that gives companies a lot of room.
“If there’s a law enforcement investigation going on or if a disclosure about a data breach could impede a law enforcement investigation, then companies don’t have to inform consumers of the breach immediately,” says Jamie Court of the advocacy group Consumer Watchdog.
Court says companies can use an ongoing investigation as a reason to delay when they fear it will have a negative impact on their bottom line. He suspects that Target and Neiman Marcus may have delayed notifying customers about recent security breaches.
“It happened during the Christmas buying season,” Court says. “And we just can’t be sure until law enforcement tells us when the companies knew about the breach and whether they delayed the information getting to the American people.”
Several state attorneys general are investigating the breaches, and in many cases, they look into the timing of the disclosure as part of the overall investigation.
In emails, spokespeople for Neiman Marcus and Target say they are confident that they are meeting all legal notification requirements.
Privacy and data security attorney Guffin says there are some good reasons companies don’t send out notifications the minute they see signs of a security breach.
“You might discover today a so-called breach,” he says. “But’s it’s gonna usually take a fair amount of time to do a proper investigation to figure out what happened.”
However, Guffin says there are powerful economic incentives to keep the breach quiet for as long as possible. A report by the Ponemon Institute, which does research on security issues, compared the costs to companies that alerted customers quickly and those that didn’t.
“Quick responders paid significantly more than companies that moved a little bit more deliberatively in terms of their responding,” Guffin says. Factors such as sending out more notifications than necessary, false alarms and harm to reputation raised the cost, he says.
Consumer advocates are aiming to make the cost of withholding information higher. Court thinks it’s too hard for consumers to sue companies for damages.
“Your privacy doesn’t have a monetary value and under almost every law that I know of there’s no way to sue to make the company pay a price for not being forthcoming enough in a timely way,” he says.
Both Court and Guffin say there should be one federal law that governs notification to consumers of security breaches. They say the current patchwork of laws raises the cost and aggravation for everyone.