Computerworld - While security breach notification laws are forcing businesses to take more responsibility for their data, the debate continues over when consumers should be notified of an incident.
On one side are those calling for consumers to be notified of any breach that could expose sensitive data. Others, however, say a high disclosure threshold should be required to prevent overnotification and needless costs.
Franklin, N.J.-based Medco Health Solutions Inc. has come under fire for waiting more than a month to report the theft of a laptop computer containing unencrypted Social Security numbers and birth dates of about 4,300 Ohio state workers and 300 dependents.
The company, which handles prescription drug benefits for state employees in Ohio, reported the Dec. 28 theft to state officials on Feb. 8. The incident prompted Ohio officials to call for a review of the $4 million contract.
Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio, said that companies "clearly have a responsibility to safeguard customer information." However, he said many state laws have "hair triggers" when it comes to disclosures.
"I really think the standard for disclosure should be a clear risk of danger or harm to the consumer," Herath said.
Others argue that allowing companies to make disclosures based on their assessment of the risk posed to consumers is unworkable.
"Breaches should not be tied to the potential criminal use of the information," said Christopher Pierson, a lawyer at Lewis and Rocca LLP in Phoenix. "I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified."
There is a growing call for a national breach-disclosure law that will preempt the patchwork of more than 40 state laws that are in place or in the works. Many state laws specify different triggers for notification and set varying requirements on what must be disclosed to whom and when.
California, for instance, requires companies to notify consumers each time their data is compromised. Other states, such as Delaware, Arkansas and Florida, require that consumers be notified of breaches only if the companies believe there is a reasonable risk of harm.
"The good news with these laws is that security incidents are more public and more visible, and that's really motivating companies to do a better job of protecting data," said Kirk Nahra, a board member of the International Association of Privacy Professionals, a group of IT security and privacy workers in York, Maine.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
