How to Address Incident Response Laws in the U.S.

There are few federal incident response laws. The U.S. Congress tried to change that last year. Both Republicans and Democrats have expressed a desire to pass cybersecurity incident reporting legislation, either as a standalone bill or as part of another big legislative package.

In the most recent attempt, bipartisan cybersecurity and homeland security measures were placed in the NDAA (National Defense Authorization Act) for Fiscal Year 2022 (H.R. 4350).

But on December 7, 2021, the House of Representatives passed the NDAA without any cybersecurity incident reporting requirements. Some lawmakers felt that imposing such requirement on private entities, some of which are small businesses, would be overly burdensome.

However, the federal lawmakers were too late. The requirements have already been put in place by state lawmakers.


See also:


Although U.S. businesses are not subject to anything as strict as the EU’s GDPR (General Data Protection Regulation) or even a federal cybersecurity and privacy law, they are still required to comply with multiple local cybersecurity laws.

Every state has incident reporting laws. The way many of them are structured means violations can result in larger penalties than even the toughest GDPR penalties issued thus far.

The level of penalties varies, but this is not the biggest issue. The lawsuits stemming from a failure to report an incident may be far worse.

We talked recently about the right of private action, but not all states have these rights. We’ve also discussed negligence, but it can be difficult to claim damages.

With breach notification laws, the failure to report the breach and notify data subjects may be the act that creates the damages.

Failure to report is no longer negligence. It requires intent, which changes the tort to one requiring an affirmative act – known as an intentional tort. In some cases, it could even be a crime.

For example, in late 2016, criminal hackers stole data from 57 million Uber users and drivers. The company should have reported the breach, but concealed it for more than a year.

To make matters worse, the FTC (Federal Trade Commission) was already investigating Uber in connection with a similar data breach two years earlier.

When FTC investigators spoke to Uber’s chief security officer, Joseph Sullivan, about the earlier incident, he, allegedly acting on advice from Uber’s legal department, failed to inform them of the 2016 breach. According to prosecutors, he also kept information about the incident from Uber employees who were responsible for communicating with the FTC.



In August 2020, a criminal complaint was filed by a federal prosecutor in federal court, charging Sullivan with obstruction of justice and wire fraud in connection with the attempted cover-up. If convicted, he could face up to eight years in prison.

The breach was eventually disclosed by Uber’s new CEO, Dara Khosrowshahi, in November 2017. This led to a settlement of $148 million after all 50 states and the District of Colombia sued the organization for violating breach disclosure laws.

Such violations can have many other consequences. Equifax was breached and did not report it for months. This resulted in a fine from the SEC (Securities and Exchange Commission).

Furthermore, organizations that don’t report could be running up damages, since victims do not have time to take mitigating actions like canceling credit cards or freezing their credit scores.

The penalties for these statutes are often not part of the statute itself. They refer to other often UDAP (unfair and deceptive acts or practices) statutes.

These statutes can be a problem for defendants because they can have a wide range of potential remedies, including restitution, legal fees, and civil penalties, and many also provide for a private right of action. Even if the breach notification statute does not contain these remedies, they may show up in the UDAP statute, since the failure to report a breach can be considered an unfair practice.

In addition, breach notification statutes often contain references to biometric information. For example, Washington and Texas may not have a biometric protection statute like Illinois, but both have provisions in their breach notification statutes that allow the attorney general to seek fines of $25,000 for eachviolation.

Data breach survival

The failure to report a breach, which is quite common in the U.S., can have disastrous consequences. It may not be the primary basis for a lawsuit following the breach, but it may become part of the complaint, increasing the probability of the lawsuit and the size of the award.

You can find out how to avoid fines by reading The Data Breach Survival Guide – Preparing for the inevitable.

This free green paper explains how to prepare for and respond to security incidents effectively and in line with your compliance requirements.

It explains the importance of preventive, detective, and responsive measures, and how they fit into your organizational practices.

It also contains a step-by-step walkthrough of a typical data breach response process, outlining your data breach reporting requirements.