Retailers Can Wait To Tell You Your Card Data's Been Compromised
You might think that retailers have to let you know right away if they get hacked and someone steals your account information.
But recent disclosures by Target and Neiman Marcus that their networks were hacked, and data about their consumers was stolen, have raised questions about how quickly merchants need to alert their customers.
In the case of Neiman Marcus, the company may have had evidence of a breach as far back as July. But the law is a bit murky on just how quickly companies need to let them know.
"This is much more complex than what you might think," says Peter Guffin, an attorney who specializes in privacy and data. He says there's a patchwork quilt of laws that make these disclosure rules complex.
"You've got 46 states, I believe, at last count who actually have their own notions of data breach notification," he says.
States vary in how much they require retailers to inform consumers about breaches. Some states say companies don't have to alert consumers unless there is a real "risk of harm." Guffin says the only place they tend to agree is that "most states want you to be notifying affected individuals as expeditiously as reasonably possible."
But consumer advocates point to a big exception to this rule that gives companies a lot of room.
"If there's a law enforcement investigation going on or if a disclosure about a data breach could impede a law enforcement investigation, then companies don't have to inform consumers of the breach immediately," says Jamie Court of the advocacy group Consumer Watchdog.
Court says companies can use an ongoing investigation as a reason to delay when they fear it will have a negative impact on their bottom line. He suspects that Target and Neiman Marcus may have delayed notifying customers about recent security breaches.
"It happened during the Christmas buying season," Court says. "And we just can't be sure until law enforcement tells us when the companies knew about the breach and whether they delayed the information getting to the American people."
Several state attorneys general are investigating the breaches, and in many cases, they look into the timing of the disclosure as part of the overall investigation.
In emails, spokespeople for Neiman Marcus and Target say they are confident that they are meeting all legal notification requirements.
All Tech Considered
Target Hack A Tipping Point In Moving Away From Magnetic Stripes