Breach notification laws: When should companies tell all?
Privacy experts, lawyers differ on whether more laws would help
March 2, 2006 12:00 PM ETComputerworld - While there appears to be growing industry consensus that security breach notification laws have forced companies to take more responsibility for the data they own, there is little agreement on exactly when companies should be required to notify consumers when a data breach occurs.
Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs.
We clearly have a responsibility to safeguard customer information, said Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio. If we lose information, its our responsibility to inform consumers because thats the only way they can protect themselves.
However, many existing state laws have hair-triggers when it comes to disclosure requirements, he said. I really think the standard for disclosure should be a clear risk of danger or harm to the consumer.
But others argue that allowing companies to decide when to disclose a breach is unworkable.
Breaches should not be tied to the potential criminal use of the information, said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.
The debate comes at a time when there are growing calls for a national breach disclosure law that would preempt a patchwork of laws in more than 40 states that are already in place or proposed. Many of those state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom and when.
California, for instance, uses an acquisition standard that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas and Florida, require companies to notify consumers of breaches only if the companies believe theres a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others dont.
Despite the compliance headaches caused by such disparities, the laws appear to be forcing companies to pay more attention to how they handle confidential data, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.
The good news with these laws is that security incidents are more public and more visible -- and thats really motivating companies to do a better job of protecting data, said Kirk Nahra, a board member of the International Association of Privacy Professionals, a York, Maine-based association of IT security and privacy workers.
Security
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
