As long time readers know, from time to time I make a public service posts that have more to do with the latest pain in my ass than with the in house practice of law. And lucky you, this is one of them.
We need to collectively take a deep breath and stop the mass panic over the cyber breach, and really please stop sending me invitations to the sky is falling CLEs on the subject.
Look, businesses need to be vigilant and take the appropriate actions to prevent as many breaches as possible. This is a given. I have a guy at work who spends all day long (and probably has nightmares all night long) dreaming up what could go wrong and trying to make sure we've prevented it. I'm not going to give a pass to any company who puts their non-critical AC functions on the same server as their PCI data. However, treating every breach like it's all caused by gross negligence, and having an media trial convicting every company of malice and greed because they didn't do enough to keep your data safe is ridiculous. Have you kept your data safe? Really? Keep your insurance card in your glove compartment? Yes? It has your full name and home address on it. If your car was made in the last few years, it also has a garage door opener built right in. You've just given any wanna be car thief the means to rummage through your house. Keep any personal information laying around at home? Your negligence has allowed a potential data breach of your house. How could you! You should be locked up and the key thrown away! (Insert fake outrage here.)
Ya, not all breaches are created equal. And that's why the reaction and way a breach is handled is so important. And why we, the public, need to chill just a little. Did you know that there are 47 different breach notification laws in the US alone? And some of those laws conflict – in one you must notify the state AG first before notifying the public. In another you must notify the public within a given timeline (one that doesn’t give much time to coordinate with other state’s AGs). And then there are insurance requirements if you want the breach covered. Not to mention the criminal investigations and the requests from the various alphabet soup agencies. Dealing with a breach isn’t easy and it takes time to fully understand it. And quite frankly, we the public, should want every organization to be able to focus on quickly finding out what caused it and stop it from continuing without having to divert attention to managing the public panic.