White House's Cyber Security Proposal Recommends National Breach Reporting Standard

May 18, 2011

By: Michael R. Fox and John F. Mullen

This article is an interpretation of current law and is offered for informational purposes only. This material is not legal advice and should not be construed or used as a substitute for the advice of an attorney.

In the wake of several high-profile data breaches, the Obama administration ("administration") proposed cyber security legislation last week designed to offer greater protection to the country's critical infrastructure, federal and state governments, and citizens' personal information.

One aspect of the initiative, which the administration refers to as a "vision for the future of cyberspace," proposes enacting national data breach reporting laws. Currently, 46 states and the District of Columbia have some form of regulation that requires an entity who suffers a data breach to notify individuals whose personal information may have been compromised. When the data loss exceeds specified limits, entities in certain states must also notify the state attorney general. The proposed legislation seeks to both simplify and standardize the existing "patchwork" of the 47 different laws.

The suggested national guidelines require any business that collects personal information for more than 10,000 people during any 12-month period to notify individuals of a data breach that involves the loss of their personal information. The notification must occur "without unreasonable delay" via standard mail, telephone or e-mail. In some cases, notification may even occur through media outlets if the notice is properly calculated to reach the affected individuals.

The standards also include certain exemptions from reporting. For example, no separate notification is required when the targeted entity utilizes or participates in a security program that automatically notifies individuals of potential fraud and blocks unauthorized financial transactions before they are charged to the account of the person whose information was stolen.

From the perspective of insurance carriers who offer cyber breach insurance policies, the enactment of a national data reporting law may be welcome. Currently, the existence of 47 different sets of reporting obligations make compliance confusing and time consuming. A national standard would simplify the reporting process and reduce the costs associated with analyzing and complying with a large number of diverse standards.

While promising, the proposal still faces challenges. This is not the first time a national reporting standard has been proposed. In the past, issues surrounding the pre-emption of state laws have been a significant barrier. These issues will need to be addressed before the proposal can become law.

For additional information related to this or other privacy and data security issues, please contact John F. Mullen at 215.358.5154 or via email at jmullen@nldhlaw.com or Michael R. Fox at 215.358.5163 or mfox@nldhlaw.com.

Emerging Issues

In The News...

Nelson Levine opens Washington D.C. office to further assist industry in embracing the modernization of insurance regulation More
Nelson Levine attorneys discuss the best practices for handling large exposure personal accident claim investigations and lawsuits More
Mike Nelson discusses the delayed FIO report in Insurance Journal and InsuranceNewsNet.com.

Upcoming Events

AICP Mid-Atlantic Chapter
Date: May 21, 2012
Speaker: Peg J. Ising
Location: Philadelphia, PA
Topic: FIO
Program Website

12th Annual Emerging Trends in Fraud Investigation & Prevention Conference
Date: May 21-22, 2012
Speaker: William O. Krekstein and Marc Lovrak, Special Investigations Unit/Corporate Claims Manager, State Auto
Location: Columbus, OH
Topic: Insurance Fraud Investigations
Program Website

Montgomery Bar Association Continuing Legal Education
Date: May 30, 2012
Location: Norristown, PA
Speaker: Claudia D. McCarron
Topic: Successful Mediation of Federal Courts
Program Website

New York State Bar Association: Advanced Insurance Coverage
Date: June 21, 2012
Location: New York, NY
Speaker: Steven P. Nassi
Topic: Environmental Coverage Claims
Program Website

3rd Annual NetDiligence Cyber Risk & Privacy Liability Forum
Date: June 4-5, 2012
Location: Philadelphia, PA
Speaker: John F. Mullen
Topic: State of the Cyber Nation Address
Program Website

PLRB/LIRB 2012 Eastern Regional Adjusters Conference
Date: June 26-27, 2012
Speaker: William O. Krekstein
Location: Providence, RI
Topic: Duties After Loss: Enforcing Policy Provisions
Program Website

16th Annual America's Claims Event (ACE)
Date: June 27-29, 2012
Speaker: Robert M. Runyon, III
Location: Las Vegas, NV
Topic: Weathering the Storm - Managing, and Avoiding, Litigation Arising from CAT Claims
Program Website

FX Conference Series
Date: July 12, 2012
Speaker: Cathleen Kelly Reber
Location: Audio Conference
Topic: Food Recall and Insurance for the Food Industry
Program Website

Home

Our People

Of Note

Careers

New York Pennsylvania District of Columbia Ohio New Jersey London

Nelson Levine de Luca & Hamilton offers comprehensive legal services to the insurance industry in the areas of reinsurance, regulatory, complex liability, class action, coverage, subrogation, bad faith and fraud. With offices in Pennsylvania, New York, New Jersey, Ohio and London, NLdH is devoted solely to providing legal representation to the insurance industry.

FirmSite® by FindLaw, a Thomson Reuters business.

The material provided on this website is offered for its informational value and does not constitute legal advice. Accessing this website or using email links to contact us does not create an attorney-client relationship with Nelson Levine de Luca & Hamilton or any of the firm's attorneys. This website may be considered an advertisement under the rules of certain states. Past results do not guarantee a similar outcome.