Making information breaches public

While security breach notification laws are forcing businesses to take more responsibility for their data, the debate continues over when consumers should be notified of an incident.

On one side are those calling for consumers to be notified of any breach that could expose sensitive data. Others, however, say a high disclosure threshold should be required to prevent over-notification and needless costs.

New Jersey-based Medco Health Solutions has come under fire for waiting more than a month to report the theft of a laptop computer containing unencrypted Social Security numbers and birth dates of about 4,300 Ohio state workers and 300 dependents.

The company, which handles prescription drug benefits for state employees in Ohio, reported the Dec. 28 theft to state officials on Feb. 8. The incident prompted Ohio officials to call for a review of the $4 million contract.

Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio, said that companies "clearly have a responsibility to safeguard customer information." However, he said many state laws have "hair triggers" when it comes to disclosures.

"I really think the standard for disclosure should be a clear risk of danger or harm to the consumer," Herath said.

Others argue that allowing companies to make disclosures based on their assessment of the risk posed to consumers is unworkable.

"Breaches should not be tied to the potential criminal use of the information," said Christopher Pierson, a lawyer at Lewis and Rocca LLP in Phoenix. "I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified."

There is a growing call for a national breach-disclosure law that will pre-empt the patchwork of more than 40 state laws that are in place or in the works. Many state laws specify different triggers for notification and set varying requirements on what must be disclosed to whom and when.

California, for instance, requires companies to notify consumers each time their data is compromised. Other states, such as Delaware, Arkansas and Florida, require that consumers be notified of breaches only if the companies believe there is a reasonable risk of harm.

"The good news with these laws is that security incidents are more public and more visible, and that's really motivating companies to do a better job of protecting data," said Kirk Nahra, a board member of the International Association of Privacy Professionals, a group of IT security and privacy workers in York, Maine.

But while there's value in informing consumers of security breaches that pose a real risk of identity theft or fraud, little is gained by over-notification, added Nahra, who is also a partner at Wiley, Rein & Fielding LLP in Washington. For instance, the random loss or theft of a laptop or tape containing confidential data poses less of a risk than a targeted attack against a system containing terabytes of customer data, Herath said. Applying the same disclosure standards in both cases may not be appropriate, he said.

Paul Rubin, a former director at the Federal Trade Commission and a professor of economics and law at Emory University, argued for a more precise notification standard, because only about 2 percent of breach victims become victims of fraud and identity theft. Indiscriminate disclosures will only worry consumers, who may place fraud alerts on their accounts or close them, with little real reason, he said.

Allowing breached companies to make judgments on whether data might be misused will never work in favour of consumers, "because the statute of limitations on thieves using stolen data does not expire," said Arshad Noor, CEO of StrongAuth Inc., a compliance management firm in Sunnyvale, Calif.