Hacked Companies Caught in Maze of Notification Requirements
- Federal agencies, 50 states create reporting ‘Frankenstein’
- SolarWinds cyber-attack may add momentum to simplify standards
Photographer: Ammna Mir/EyeEm/Getty Images
Last summer, Katherine “Kitty” Green received some disturbing news about the computer network at Florida Gulf Coast University, where she oversees a foundation for private donors. An outside data provider warned it had detected that hackers sneaked into the university’s systems and might have made off with sensitive personal information of its benefactors.
Six months later, FGCU sent out notices to 5,498 financial supporters, offering free credit-monitoring and a hot line to call for more information. One reason it took so long is that, after consulting with technical and legal experts, the university concluded that under local laws, it would have to file different notifications in 16 different states.
“Every state has different questions, which makes it much more complicated to know what to do,” Green said. “It was definitely more time consuming than we’d imagined.”