An editorial from The Herald-Dispatch
HUNTINGTON, W.Va. — If your personal information stored by a retailer somehow falls into unauthorized hands, how would you be notified? Or would you be notified at all?
The answer may well depend on where you live. And that’s not a very good answer.
The issue has gained added attention in recent months following two well-publicized data breaches at two national retailers. Target disclosed last December that 40 million credit and debit card accounts had been exposed between Nov. 27 and Dec. 15, while Neiman Marcus has said that it had a data breach involving 1.1 million credit and debit cards.
The potential impact for those card-holders is that they could become victims of identify theft and outsiders could basically steal money from those accounts.
In such instances as these, and in cases involving far fewer accounts, one of the chief questions is how quickly and in what manner should retailers let affected customers know of data breaches. As it stands now, there is no national standard for notifying customers, leaving any requirements to states for setting the rules.
Unfortunately, a few states, including Kentucky, have no laws on the books requiring notification, although a bill that would set standards is up for final action now in the Kentucky Legislature. In other states, the requirements can vary widely.
Both West Virginia and Ohio have notification statutes, and they are essentially the same. However, Ohio requires businesses who have had data breaches to alert customers within 45 days, while West Virginia’s law does not spell out a time requirement. Forty-five days before customers are alerted seems too long as it is, but placing no deadline for notifying customers could be paramount to having no requirement at all…