Save this content for laterSave this content on your device for later, even while offline Sign in with FacebookSign in with your Facebook account Close

Jim Flynn: Timing of Equifax disclosure at issue

By: Jim Flynn
November 12, 2017
0
photo - Jim Flynn - Business (2013)
Jim Flynn - Business (2013) 

The Equifax data breach, affecting about 145.5 million Americans, continues to provide income-enhancing opportunities for lawyers.

Under scrutiny now is the timing of Equifax's disclosure of the breach. Nearly six weeks elapsed between the time Equifax became aware of a problem and its disclosure of the problem. This is important because 48 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws requiring notification of a data breach. (Alabama and South Dakota don't.)

A problem for a company experiencing a data breach is that these laws are not uniform. They define "personal information" differently, what happens if data is encrypted, whether an investigation is required before notification, who must be notified and how quickly notification must be given.

If you're the lawyer for a company trying to respond to a data breach, you're going to have long days sorting out the company's compliance responsibilities in all jurisdictions and responding to troubling inquiries from various state attorneys general (some of whom are seeking re-election).

In Colorado, the data breach notification law says a breach occurs when there is an "unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information. . "

"Personal information" means a first name or first initial and last name, in combination with one or more of: Social Security number; driver's license or identification card number; or account number (including a credit or debit card number), together with any security code, access code or password required for account access.

When a company doing business in Colorado becomes aware of a security system breach, it must promptly and in good faith conduct an investigation to "determine the likelihood that personal information has been or will be misused." Unless this investigation concludes misuse has not occurred and is not reasonably likely to occur, the company must give notice of the breach to affected residents "as soon as possible."

To fuzz things up, the law also says that "notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." If more than 1,000 Colorado residents are affected, the law requires that a notice go to credit reporting agencies.

There is considerable debate whether giving notice of a data breach is a good idea. Some argue that notice makes things worse by inviting further cyberattacks. Others argue that widespread disclosure of data breaches helps to deter further attacks. In Colorado, the Legislature seems to have decided giving notice is the better bad choice.

Register to the Colorado Springs Gazette
Incognito Mode Your browser is in Incognito mode

You vanished!

We welcome you to read all of our stories by signing into your account. If you don't have a subscription, please subscribe today for daily award winning journalism.

Register to the Colorado Springs Gazette
Subscribe to the Colorado Springs Gazette

It appears that you value local journalism. Thank you.

Subscribe today for unlimited digital access with 50% fewer ads for a faster browsing experience.

Already a Subscriber? LOGIN HERE

Wake up with today's top stories in your inbox

Wake up with today's top stories in your inbox

Already a print subscriber?
Already a digital subscriber?
 
This is your last FREE article for the month
This is your last FREE article for the month

Subscribe now and enjoy Unlimited Digital Access to Gazette.com

Only 99 cents for Unlimited Digital Access for 1 month
Then $2.31/week, billed monthly, cancel anytime
Already a print subscriber?
Already a digital subscriber?

 
You have reached your article limit for the month
You have reached your article limit for the month

We hope that you've enjoyed your complimentary access to Gazette.com

Only 99 cents for Unlimited Digital Access for 1 month
Then $2.31/week, billed monthly, cancel anytime
Already a print subscriber?
Already a digital subscriber?

 
articles remaining
×
Thank you for your interest in local journalism.
Gain unlimited access, 50% fewer ads and a faster browsing experience.