Support for a single national standard for all organizations to follow in the event of a data breach has grown in recent months, and Congress appears responsive to arguments and ready to take action. Observers have suggested that a federal data breach law would lead to fewer notifications to consumers after security incidents, allowing businesses to keep quiet unless there is a real danger that information will be misused. Is that really such a bad thing?
Now, hear me out. What happens following a data breach? The affected organization investigates, alerts consumers to the fact that their personal information has been accessed, and offers credit monitoring and identity theft protection services. And theoretically, the business shores up its defenses, pays the consequences, and crosses its fingers it won’t get hit again.
However, where’s the incentive for consumers to take matters into their own hands, to guard against their data being misused? If consumers wait to be told to check their credit report, keep an eye on their health insurance statements, and change their passwords, that puts the onus on businesses to protect them, when they could be doing their bit to protect themselves.
There’ve been numerous reports and speculation suggesting that the general public has experienced some sense of apathy upon receiving breach notifications – it’s just business as usual in many minds. A new credit card arrives in the mail and the olive branch of identity theft protection is offered.
If the goal of fewer notifications is to put more weight behind a letter from an organization that holds your personal information, that seems to be a fairly decent objective. If a letter informing you that confidential data has been released into the digital wilds actually means something, then that seems like a net positive.
A recent report from Symantec, the firm’s annual Internet Security Threat Report, suggests that businesses may already be keeping quiet on some data breaches. Symantec observed, “In 2013, 34 out of 253 breaches, or 13 percent, did not report the number of identities exposed. In comparison, 61 out of 312, or 20 percent, of breaches disclosed in 2014 didn’t include this information. This equates to 1 in 5 breaches not reporting on the breadth of data exposed. It’s difficult to definitively explain why this information is not being shared publicly. In some cases it’s possible the organizations find it too challenging to determine the number of identities exposed. In others, this information likely remains undisclosed to help save face in what clearly has a negative impact on an organization’s public reputation.”
Symantec went on to say, “What is most concerning, however, is this trend could point to a situation where a large number of breaches are not being disclosed to the public at all. While there are many industries, such as healthcare and some government organizations where a breach must legally be reported, most industries do not have such laws. As a result, some organizations may decide to withhold information about a breach to protect their reputations, and they do not face penalties as a result. This may change in the coming years, as many governing agencies around the world are already looking at bringing in regulation surrounding the proper disclosure of data breaches.”
Symantec’s comments present an interesting addition to the argument. No organization should bail on notifying its customers to save face and avoid regulatory scrutiny. Every security incident should be investigated and addressed, with an eye toward future deterrence. It’s also valid to note that any number of breached companies have fought assertively in court that no harm has resulted from the event, with consumers standing in relatively firm opposition. If the goal of federal legislation is to take it easy on the nation’s businesses on data breaches, that negates the work that 47 states have done in crafting legislation and sending the message to businesses that protecting consumers’ information is important.
Therefore, the intent should be to shift from a culture of blast notifications to a culture of awareness for all. Data breaches, cyber events, these are a big deal and the current structure doesn’t make that clear to the public. If organizations of all sorts and all sizes must fiercely guard against the exposure of the data they hold, then the actual owners of the data should maintain some level of responsibility as well.