"Don't expect a letter from Monster or Heartland Payment Systems letting you know they've lost your data. The breaches at Monster.com and Heartland Payment Systems are raising questions about the efficacy of data-loss disclosure laws enacted in at least 45 states.
Back in 2007 we wrote about how the financial services industry lobbied hard to block proposed federal rules requiring organizations to notify individuals whose data they lose, and to permit consumers to freeze their credit histories.
States such as California and Massachusetts have passed laws giving consumers these rights. But the Monster and Heartland capers have brought weaknesses in the legislation to center stage. I asked Lisa Sotto, head of privacy and information management at law firm Hunton & Williams, about this:
Q: Heartland and Monster told me they intend to comply with all state laws. That said, they have not announced plans to notify individual victims. Is that OK?
A: In the state breach notification laws, it is permissible to delay notification if a law enforcement agency determines that notification would impede a criminal investigation. If such a delay is requested by law enforcement, notification must be made after the law enforcement agency determines that notice would not compromise the investigation. I do not know if these companies received a delay request from a law enforcement agency.
Q: The only official notices from Heartland and Monster so far has been one-page disclosures posted on a web site. Does that cover them?A: There are provisions in the state laws allowing for "substitute notice" if the number of individuals required to be notified exceeds a certain number (which differs by state), if the cost will exceed a certain dollar amount (which also differs by state), or if the business seeking to notify does not have sufficient contact information for the affected individuals. If substitute notice is used, the notifying party generally must send an email to the affected individuals if the notifying party has email addresses, post a notice on the web site page of the notifying entity, and notify media.
By Byron Acohido
The experienced class action attorneys at Gray and White Law represent victims of personal information data theft. The full truth behind the Heartland Security Breach will soon be known, as investigations are pending. If you or a love one believe that you may have been affected by the Heartland Payment Systems security breach, please contact the class action and complex litigation attorneys at Gray and White Law, or email Matthew L. White ([email protected]) for a free consultation.