It seems like every day we’re hearing about a new data breach, or another cyberattack.
Many of us have received a letter with the words “Notice of a Data Breach” on it, but NBC Responds and Telemundo Responde reporters nationwide found that how long a company has to notify consumers that their information has been compromised in a breach depends on where they live.
“If we could wave our magic wand, we would like to see federal legislation, we would like to see minimum, uniform, enforceable standards,” said Identity Theft Resource Center CEO Eva Velasquez.
In Florida, only if a breach impacts more than 500 people a company has to notify the state.
The Hurricane season is on. Our meteorologists are ready. Sign up for the NBC 6 Weather newsletter to get the latest forecast in your inbox.
After that, the company has 30 days after they have determined or believe the breach has occurred to notify you.
In California, it is mandated that a company report the breach but there is no required timeline for telling consumers.
For example, Change Healthcare notified some consumers of a data breach on August 5th after a discovery that a cybercriminal copied data from its computer system in March. That’s a warning five months later for a data breach of health data, diagnosis, and payment info stolen impacting one-third of Americans.
Responds
Responding to every consumer complaint
On its website, Change Healthcare stated they began mailing out notices at the end of July and was committed to “notifying potentially impacted individuals as quickly as possible on a rolling basis, given the volume and complexity of the data involved.” They also said, “the investigation is still in its final stages.”
There was also an AT&T breach that took place back in April but wasn’t announce until July.
In that case, the company and the FBI decided to delay the announcement “due to potential risk to national security and public safety.”
At the time, AT&T said they had “taken steps to close the illegal access point” and said they would provide resources to help protect their customers’ information.
Every data breach is different, and experts point out that detecting and investigating a breach can take time.
“That number is reportedly still over 200 days and then it takes on average 70 to 75 days for it to be actually reported,” said Michael Bruemmer with Experian.
Bruemmer is the Vice President of Global Data Breach Resolution and Consumer Protection at Experian. He says investigating the breach can only happen after the breach has been detected which can add days to an already long timeline before consumers are notified.
“We need to have quicker reporting from companies that have been hacked,” said Sen. Mark Warner, D-Va.
Sen. Warner introduced a bill in 2021 that called for faster reporting on data breaches. The Cybersecurity and Infrastructure Agency is currently creating reporting regulations based on his push for change but there are critics to whether this will happen.
Connecticut’s Attorney General William Tong doubts a federal data privacy law sill happen anytime soon.
“Waiting for Congress to act on all this means we'll be waiting for a long time,” Tong said.
The Identity Theft Resource Center has been tracking data breaches for almost 20 years now and advocates say if the delay in disclosing is due to a fear of impacting the company’s stocks or quarterly profits then that’s a problem.
“We all have to fight these issues and the more we leave out and don’t inform – the less ready we are to mitigate any upcoming risk,” Velasquez said.