Which action was justifiable:  (i) Comerica Bank notified customers and stopped all account activity within 6 hours of a data breach;  (ii) Citigroup took one month before notifying 360,000 customers of a data breach.

Going by the courts ...  Comerica lost and Citigroup won - at least so far, because various government agencies are still probing Citigroup's breach - so anything can happen.  But still, the vast differences in response times begs the question:  in reporting data breaches, how fast is legally fast enough?

Growing Concern.   As data theft becomes more frequent, more severe and more widespread (encompassing companies, organizations and government offices of all sizes ahd snapes), everyone is expressing concern.  Politicians are interested.  Congress held three hearings on cybercrimes and data theft in June.  Representative Mary Bono Mack introduced a bill to establish nationwide standards for data security and breach notification.  The goal of the law is to push quick notification to consumers following a breach.

Forty-six states have laws addressing corporate responses to data theft - but of course, their requirements vary widely.  Some demand prompt customer notification;  others say customers must be notified "in a reasonable time."  

Getting Back to Comerica and Citigroup.   In the case of Comerica, a customer unwittingly responded to a malicious email posing as a bank maintenance request by providing his company's account data.  The Cyber-criminals used the data to quickly transfer $1.9 million out of the customer's business account.  A judge ruled that Comerica's response - within 6 hours of the breach - was not fast enough and required Comerica to pay $560,000 to cover the portion of funds that weren't recovered. 

Judge Patrick Duggan in Detroit said the bank didn't act "in good faith."  The judge further ruled that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped [i.e., prevented] teh fraudulent wire activity earlier."

In the case of Citigroup, routine monitoring caught wind of customer credit card data being compromised. The company, however, spent nearly a month analyzing "millions of pieces of data," according to a press release, and said it began notifying 360,000 affected customers nearly one month later. 

Federal and state governmental investigations continue - most recently Connecticut's attorney general joined other state regulators in an investigation.  Meanwhile, Citigroup pledged to repay the $2.7 million stolen from customers. 

Take Away.   Such disparities have led some to call for a fixed notification period.  Professor Eric Goldman of Santa Clara University Law School, however, disagrees saying it doesn't make sense for a company to communicate when it doesn't know what happened or who was affected.  It can take a forensic team weeks, or even months, to find answers.  

"Don't underestimate how hard it is."  Prof. Goldman added, "Consumers don't really want information unless they can act on it."

Lisa Sotto, MD of Hunton & Williams' NY Office, says "Data breach is a culture unto itself.  It goes beyond interpreting the law."     For further details, go to:   [Law.com, 7/25/11]