Chicago partner Ken Dort was quoted in an article for The Wall Street Journal titled, “30 Days Not Enough Time in Obama’s Proposed Breach Notification Law: Retail Group.”
President Obama proposed new federal legislation Monday that would require companies to report to customers the exposure of their personal information within 30 days from the discovery of a data breach. While some companies welcomed the move to a single federal standard, they also expressed concern that 30 days may not be enough time to accurately assess the scope of a data breach.
One federal law, known as the Personal Data Notification& Protection Act, would replace different notification requirements in nearly four dozen states. “Right now, almost every state has a different law on this and it’s confusing for consumers and it’s confusing for companies and it’s costly to have to comply with this patchwork of laws,” said President Obama in a speech before the Federal Trade Commission. “Sometimes folks don’t even find out their credit card information has been stolen until they see charges on their bill and then it’s too late,” he added.
But once a company knows definitively what happened, 30 days is “more than enough time” to notify affected consumers, said Ken, who has supervised numerous investigations involving data breaches across many different business sectors. Still, emphasized concern over the proposal’s exact trigger for notification, he added that “you can’t send a breach notification letter unless you know what you’re putting in the letter.”
To view the entire article in The Wall Street Journal, click here.