October 17, 2011, 3:29 PM — Consumer advocates as well as many business groups have attempted to get federal laws adopted in the United States that would mandate disclosure of security breaches in which some types of private information about identifiable people are exposed. In spite of the obvious logic of having a national standard, these efforts so far have failed.
But a recent action by the Securities and Exchange Commission may have created a disclosure requirement more sweeping than any of the legislative proponents could have wished for.
BACKGROUND: US companies pushed to disclose cyberattacks
It used to be that companies suffering a security breach did not have to tell anyone about it, even the people who might be negatively affected by it. That started to change on July 1, 2003, when the California Database Breach Act went into effect. This act required disclosure of any security breaches of databases that included specific types of mostly financial information about California residents. But, as ChoicePoint found out in 2005, just telling California residents about a breach that included residents from other states was rather dumb.
Forty-six states have passed their own laws since the California law was shown to force companies to tell customers when they might be in danger because of a company mess-up. If you live in Alabama, Kentucky, New Mexico or South Dakota, you just have to trust that the companies have enough of a conscience to let you know when you are in danger.
Having 46 often contradictory state laws is far from ideal if you happen to run a business that spans state lines. Having a national set of rules would make a great deal of sense, but asking the politicians in Washington to do something that makes sense does not always produce a sensible result. Part of the problem with the political process is the impact of lobbyists, which would likely produce a set of rules far weaker than the strongest state laws -- so maybe inaction is for the best.
But the Washington bureaucracy may have just cut through the logjam.