Holiday shopping? How much do data breach notification laws protect?

by @mhkeller December 1, 2014 5:00AM ET

Forty-seven states require companies to notify customers that their data has been stolen. How does your state compare?


When hackers stole credit card and contact information from 70 million Target customers last year, the public heard about it four days after the company says it confirmed the theft, in part because 47 states and the District of Columbia have data breach notification laws requiring companies to disclose when they lose financial information.

Now, during the busiest shopping time of the year, not only is credit card data facing its usual risks, but also many of the Internet-connected devices on sale this season are new and potentially valuable targets for data thieves. Only a few state laws extend the same kind of swift notification of financial thefts to other kinds of data, possibly leaving consumers unaware if data such as photos, locations and exercise habits is breached.

"The data breach notification laws really have ushered in an era of transparency when breaches happen," said Mary Ellen Callahan, a lawyer who works with companies that were data theft victims. But a national patchwork of regulations governing what qualifies as personal information complicates the process, she said.

Generally, each state has list of data it considers personal enough that, if stolen, a consumer must be notified. For example, every form of the law covers financial information, such as credit card number, and any required codes or passwords. Only four states — Iowa, Nebraska, North Carolina and Wisconsin — protect biometric data such as fingerprints and retina images. Wisconsin is the only state to include DNA. California and Florida consider email and password info sensitive enough to trigger notification but not your mother’s maiden name, which is often used as a security question.

Often when notice is given, a recent California report found, the average notice is written at a college reading level. Overnotifying for incidents in which consumer harm is unlikely can also be problematic, Callahan said.

"What I'm concerned about is, I think it could be people are overloaded by these notifications and they are not getting to the root cause, which is how to do we solve this or how do we have fewer breaches in the future," she said.

Attorney General Eric Holder has pushed for a federal standard to simplify and potentially strengthen consumer protection, which business and privacy groups support. So far, no proposal has passed Congress.

How do these laws differ? Use the options below to simulate a data breach and see what thieves can steal while staying below your state’s notification threshold.