A proposed U.S. national privacy law would let some companies that find their systems hacked off the hook from notifying customers.
Legislation going through Congress would allow companies to decide whether a breach of consumer data merits notifying customers. Under the proposals, moving through both chambers of Congress, companies would need to quickly notify customers about an intrusion if they believe there's a risk that the breach would lead to serious identity theft or fraud. But if companies believe there is no reasonable chance that a breach will hurt customers, the proposed legislation would allow them to keep it under wraps.
The law would override current state laws on notification, many of which compel companies to tell customers if there is any unauthorized access of their personal data, regardless of perceived harm, said Gerald Ferguson a privacy attorney at Baker & Hostetler LLP, who counsels companies on how to handle breaches.
The standard "would lead to less notifications," said Mr. Ferguson . "It would permit companies to do a second analysis of whether there is a reasonable risk of financial harm. When you are starting to do a risk of harm analysis there's is a lot of discretion."
A spokesman for Rep. Marsha Blackburn (R., Tenn), who sponsored one of the proposals, said the lawmaker took into account concerns that "too much notification undercuts the value of useful notification."
Instead of forcing notification in every case, the bill is focused "on what impacts consumers most and that is identity theft and payment fraud," the spokesman said.
The costs of customer notification after a breach - and the resulting fallout- can be devastating for companies. Target Corp. reported last year that expenses related to its massive breach reached $148 million. An IBM IBM -0.47% study last year found companies spent an average of $145 in breach-related costs for each record exposed. And a flood of class action suits, which often follow revelations of a breach, can dog companies for years.
The resulting damage has caused some data privacy attorneys to encourage companies to think long and hard before going public about a breach.
Most states already have laws spelling out when a company must tell customers about a breach. But complying with dozens of separate requirements is costly and can slow a response when a breach occurs, experts say. Rather than dealing with a separate attorney general in every state when a breach happens, companies would mainly be answerable to the U.S. Federal Trade Commission under the proposed law.
"Companies would benefit from reduced demands on compliance functions," said Daren Orzechowski, a technology law specialist at White & Case LLP. "It would allow companies to focus more on addressing the breach rather than running through volumes of statutes."
And if companies decided that a breach had little risk of actually hurting customers, "they'd have another path to take, short of full-on breach notification to consumers," Mr. Orzechowski said. A company attorney may conclude, "‘yes, a breach occurred, but nothing sensitive or meaningful was exposed in a way that would allow someone to use it, therefore I shouldn't have to bear the costs of notification.'"