Breach notification laws: When should companies tell all?

Computerworld - While there appears to be growing industry consensus that security breach notification laws have forced companies to take more responsibility for the data they own, there is little agreement on exactly when companies should be required to notify consumers when a data breach occurs.

Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs.

“We clearly have a responsibility to safeguard customer information,” said Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio. “If we lose information, it’s our responsibility to inform consumers because that’s the only way they can protect themselves.”

However, many existing state laws have “hair-triggers” when it comes to disclosure requirements, he said. “I really think the standard for disclosure should be a clear risk of danger or harm to the consumer.”

But others argue that allowing companies to decide when to disclose a breach is unworkable.

“Breaches should not be tied to the potential criminal use of the information,” said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. “I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.”

The debate comes at a time when there are growing calls for a national breach disclosure law that would preempt a patchwork of laws in more than 40 states that are already in place or proposed. Many of those state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom and when.

California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas and Florida, require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others don’t.

Despite the compliance headaches caused by such disparities, the laws appear to be forcing companies to pay more attention to how they handle confidential data, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

“The good news with these laws is that security incidents are more public and more visible -- and that’s really motivating companies to do a better job of protecting data,” said Kirk Nahra, a board member of the International Association of Privacy Professionals, a York, Maine-based association of IT security and privacy workers.