Data-Breach Alert Laws May Be Eased

US companies wouldn’t have to disclose some cybersecurity breaches under proposed legislation introduced in both chambers of Congress in recent months.

Under the proposed legislation, companies would be allowed to decide whether a breach of consumer data merits notifying customers. Under the proposals, companies would need to quickly notify customers about an intrusion if they believe there is a risk that the breach would lead to serious identity theft or fraud. But if companies believe there is no reasonable chance that a breach will hurt customers, the proposed legislation would allow them to keep it under wraps. The proposed law would override current state laws on notification, many of which compel companies to tell customers if there is any unauthorized access of their personal data, regardless of perceived harm, said Gerald Ferguson a privacy attorney at Baker & Hostetler LLP, who counsels companies on how to handle breaches.