Thursday, January 11, 2007

What can Europe learn from the experience with US Security Breach Notification Laws?

At my last count, 34 US States have laws that require some kinds of security breaches to be notified to the public when their personal information is compromised. Europe is now considering following suit. But turning any such proposal into effective practice will require a lot of work.
I think it’s easy for all us to agree on one thing – every individual is entitled to be told promptly when a company learns of a security breach that has resulted in the loss of personal data that may subject an individual to identity theft or other such serious harm. It doesn’t really matter whether the breach was the result of mistake or malice – our first instinct should be to protect the user against harm while at the same time figuring out or fixing the problem that led to the breach in the first place. Prompt notice simply is the first step to protecting the customer.
The first practical question, however, is whether every loss of personal data should require notice. Yes, when customers give their personal information to companies who in turn store it for future uses, we all like to think that the information about us is held in vault-like security. But the truth is that there is no perfect security – some people will abuse their position or power to steal information, others will hack into systems for the challenge of it, and we are all human in the end and make mistakes. So if personal information is lost, it is appropriate to ask what types of personal information if lost should trigger notice.
While reasonable people may differ, I think the trigger should be a material risk of harm to the individual such as identity theft or financial loss. It is fair to say that, objectively, the loss of a laptop with customer list information such as name, physical address, email address and phone number likely presents little risk of financial harm or identity theft to any individual. Such information generally is available from directories or other public sources and most of us don’t take steps to protect that information from the public domain. But if you couple that information with an account access code or other key data elements that would permit a person to apply for credit such as date of birth and government identity number, then the risk of harm certainly increases.
In the United States, with its 34 State security breach notice laws, this in fact is the legal standard. Notice is required when a person’s name in combination with financial account information and access codes or a personal identifier like a social security number or driver’s license number are disclosed, so that there is a risk of harm occurring. This makes more sense than giving notice routinely – individuals should not be moved to anxiety over disclosures that present no real risk of harm; notice should mean something and be viewed as an important alert to pay attention to one’s credit card and bank statements. The diversity of security breach laws in the US has meant that in many US states, notice must be given whether or not any harm has been caused by a breach, which has led to notification being given frequently. In fact, there is evidence that individuals in the US are becoming jaded by receiving frequent security breach notices, so that sending a notice for every breach, even those that have no real affect on security, can produce a numbness that can itself represent a security risk.
Another practical issue to consider is the timing of any notice: it must be sufficiently prompt to afford individuals a meaningful opportunity to take steps to avoid harm. Yet, companies likewise need to investigate the cause of the breach, take remedial action, and prepare for notification as well. Similarly, companies often quickly complete their investigation and determine that the compromise is the result of the illegal acts of a third party. In those cases, referral is often made to law enforcement agencies. In some instances, law enforcement requests the service provider to refrain from giving notice or publicly disclosing the incident in an effort to further investigate the crime and find the perpetrator. So it may be appropriate to delay notice at the request of law enforcement if doing so is in the public interest.
Giving notice is the easy part; responding to subsequent inquiries, however, takes planning. For example, companies that have been through the breach notification process have commented on the need to establish call center support to respond to customer inquiries that arise after receipt of a notification. Many companies also arrange for fraud protection insurance coverage and take steps to notify credit reporting agencies, banks and card issuers. These customer-friendly steps are important to ensuring a complete and accurate notification and for the protection of the customer. Such procedures would obviously need to be adapted to European conditions since, unlike the US, there is no EU-wide credit reporting capability.
A sensible security breach law would help consumers in Europe know when their personal data is safe, and when it might not be.

No comments: