Recently proposed legislation in Congress outlines a plan that would allow companies to decide whether a breach of consumer data merits notifying customers. This legislation aims to provide companies the opportunity and time to do a second analysis of the risks and financial harm from a breach, focusing on what would affect consumers the most.
Most states have laws outlining when a company must notify customers about a breach, but complying with separate requirements can be costly for business and also potentially slow a response when a breach occurs. The Wall Street Journal reported that rather than dealing with a separate attorney general in every state when a breach happens, companies would mainly be answerable to the US Federal Trade Commission under the proposed law.
"Companies would benefit from reduced demands on compliance functions," said White & Case partner Daren Orzechowski. "It would allow companies to focus more on addressing the breach rather than running through volumes of statutes."
And if companies decided that a breach had little risk of actually hurting customers, "they'd have another path to take, short of full-on breach notification to consumers," Orzechowski said. A company attorney may conclude, "'yes, a breach occurred, but nothing sensitive or meaningful was exposed in a way that would allow someone to use it, therefore I shouldn’t have to bear the costs of notification.'"