Companies don't have to tell you when they're hacked, but that might change

Updated Oct 04, 2016

Lawmakers are considering several pieces of legislation that would require notifying customers when their personal information is compromised in a data breach.

>> Read more trending stories

The push for setting a national standard for notification comes weeks after Yahoo announced more than 500 million accounts were hacked in 2014. The company did not notify customers for two years.

Some privacy and consumer advocates argue legislation isn't the answer.

>> Related: Yahoo confirms hack of 500 million users

Jim Harper, senior fellow at the Cato Institute, says there are cases when it may not be best for companies to notify people about each and every time they are hacked.

"You want to notify people when they can do something to protect themselves," Harper said.  "When data is breached, notifying may just concern (consumers) because they can't do anything about it."

Harper says the focus should be on holding companies accountable to keep their users' information secure.

>> Related: Yahoo hack: What do you do if your account was hacked?

"It's not a matter of federal regulation but common law litigation," he said. "Nothing the government can do now can fix this these problems. They're too complex for a single standard especially from the federal government."

Ed Mierzwinski, of the consumer advocacy group tje U.S. Public Interest Research Group, says consumers need to take their digital security into their own hands. He says that includes using passwords which include letters, numbers and symbols.

>> Related: Brad Pitt death hoax could open accounts to hackers

"Consumer groups recommend a security freeze, which is sometimes called a credit freeze, that locks the door on your credit report so no one can get in," Mierzwinski said.

He said the legislation could end up doing more to protect the companies that allowed the information to be stolen instead of the people that are victimized. He thinks state laws already protect the consumer and any federal action by Congress would weaken those protections.

>> Related: Foreign hackers target US election systems

"The strongest state laws say if 'you lose your information, tell your customers,'" Mierzwinski said. "The company that lost your info wants the right to decide when it's been lost and we disagree with that."

Congress could take up notification legislation during the lame duck session after the election.