Written by: Haim Ravia and Dotan Hammer
Breach notifications cost, on average, $370,000, according to an industry report, but organizations that plan-ahead can reduce these costs significantly.
In recent years, data breaches have become increasingly frequent and common. They are orchestrated by increasingly sophisticated threat actors. Yet many of the data breach notification laws in the United still follow the two-decade-old blueprint laid down in California law.
The blueprint requires notification to affected data subjects. These notifications may be provided electronically, such as by email, allowing companies to save on some of the increasing expenses in data breach handling. IBM Security’s “Cost of a Data Breach Report” from 2023 indicates that breach notifications cost, on average, $370,000, a 20% increase from 2022. Yet under about half of states’ data breach notification laws in the U.S., companies can email breach notifications and save costs, only if the notice complies with the provisions specified in the federal Electronic Signatures in Global and National Commerce Act of 2000 (E-Sign Act, 15 U.S.C. § 7001).
Under the E-SIGN Act, companies can provide information to consumers, electronically, only if the consumer has given their prior consent to receive the information electronically. Moreover, before obtaining the consumer’s consent, the company must present the consumer with a detailed disclosure that includes various statements, such as the right to withdraw consent, the conditions, procedures, consequences, and fees for withdrawal, how the consumer may nonetheless request a paper copy and any fees charged for it, and the hardware and software requirements for access to and retention of the electronic record.
In the absence of a consumer’s prior consent to receive information electronically, or in the absence of the full disclosure required under the E-SIGN Act, companies would be severely limited in relying on emails as a means of communication to satisfy their data breach notification requirements. This, in turn, will increase the company’s breach notification expenses because alternative methods for breach notifications in these state laws are costly and burdensome. These alternative methods include hardcopy letters sent by postal mail and notifications to statewide media outlets (e.g., television and radio channels, and newspapers).
To save costs associated with data breach notifications, consumer-facing service providers, that offer their services to individuals in the United States, should consider taking measures in advance to secure a right to provide data breach notifications by email messages to their consumers. This should be done using a properly drafted disclosure, and receipt of consumer consent.
Cyber, Privacy, and Copyright Group – Pearl Cohen Zedek Latzer Baratz
This client update is intended for purposes of general knowledge only, does not fully cover the intricacies of the subject matter discussed, does not constitute legal advice and should not be relied on for such purposes.
