Monday, March 06, 2006

Breach notification laws: When should companies tell all? Privacy experts, lawyers differ on whether more laws would help

computerworld.com
Breach notification laws: When should companies tell all?
Privacy experts, lawyers differ on whether more laws would help
News Story by Jaikumar Vijayan

MARCH 02, 2006 (COMPUTERWORLD) - While there appears to be growing industry consensus that security breach notification laws have forced companies to take more responsibility for the data they own, there is little agreement on exactly when companies should be required to notify consumers when a data breach occurs.

Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs.

“We clearly have a responsibility to safeguard customer information,” said Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio. “If we lose information, it’s our responsibility to inform consumers because that’s the only way they can protect themselves.”

However, many existing state laws have “hair-triggers” when it comes to disclosure requirements, he said. “I really think the standard for disclosure should be a clear risk of danger or harm to the consumer.”

But others argue that allowing companies to decide when to disclose a breach is unworkable.

“Breaches should not be tied to the potential criminal use of the information,” said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. “I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.”

The debate comes at a time when there are growing calls for a national breach disclosure law that would preempt a patchwork of laws in more than 40 states that are already in place or proposed. Many of those state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom and when.

California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas and Florida, require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others don’t.

Despite the compliance headaches caused by such disparities, the laws appear to be forcing companies to pay more attention to how they handle confidential data, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

“The good news with these laws is that security incidents are more public and more visible -- and that’s really motivating companies to do a better job of protecting data,” said Kirk Nahra, a board member of the International Association of Privacy Professionals, a York, Maine-based association of IT security and privacy workers.

But while there’s value in telling consumers about security breaches that pose a real risk of identity theft or fraud, little is gained by overnotification, said Nahra, who is also a partner at Wiley Rein & Fielding LLP, a Washington-based law firm. “There are some laws that if you read them would require notice in ridiculous situations.”

The random theft or loss of a laptop or tape containing confidential data, for instance, is likely to pose less of a risk than a more targeted attack against a system containing terabytes of customer data, Herath said. So applying the same disclosure standards in both cases may not be appropriate, he said.

Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath.

Paul Rubin, a former director at the Federal Trade Commission and a professor of economics and law at Emory University in Atlanta, argued that a more targeted notification standard is required because only about 2% of breach victims actually become victims of fraud and ID theft. In the vast majority of cases, there’s no evidence to show that breached information is being misused, he said.

With that in mind, indiscriminate disclosures will only worry consumers, who may be induced to place fraud alerts on their accounts or close them entirely, with little real reason for doing so, he said. “I think all that these notices are doing is scaring people.”

They also expose companies to lawsuits from consumers who may not fully understand the true extent of the risk from security breaches, argued an analyst at a financial services firm who requested anonymity. “I personally believe that giving as much notice as possible is good behavior. But this is a litigious society we live in.”

That may be true, said Arshad Noor, CEO of StrongAuth Inc. a compliance management firm in Sunnyvale, Calif. But allowing breached companies to make judgments on whether data might be misused will never work in favor of consumers “because the statute of limitations on thieves using stolen data does not expire,” he said. “For more than four decades, IT organizations have operated in the shadows. Now for the first time, they’re being forced to shine the spotlight on their deficiencies.”