Over the last few years, the United States has witnessed the birth of a new phenomenon in data security regulation. This new addition to the world of American legislation has caused a deep rift between businesses and consumers, landing each squarely on opposite sides of a deeply divisive issue. Despite the schism that this new occurrence is causing, there is no sign that the phenomenon will abate. In fact, its cause appears to be accelerating with each reported data compromise. After all, the goal of this new trend is to stop the growth of identity theft and financial fraud perpetrated as a result of data breaches. The phenomenon in question is, of course, the data breach notification law, or more precisely laws. More than 30 states have now enacted laws requiring companies to notify customers if consumer data was compromised in a data breach. The US Congress has seen something on the order of a dozen versions of a notification law introduced in the last two years. Love them or hate them, it is clear that the era of notification laws has begun and is here to stay.
The issue of notification laws is fodder for great debate between consumer rights organizations and businesses, and rightly so. Each
side has valid complaints about the effectiveness of such laws.
Consumers object to the laws on the basis that they simply do not offer enough protections for consumers. Most laws, for instance, contain language that indicates that notification should be made in the event that the data has been stolen, and that there is a “high likelihood” or “significant risk” that the information will be used to perpetrate identity theft. This extremely nebulous trigger raises concerns among consumer rights activist. How does one define “high likelihood?” Given the fact that a judge in California ruled that the CSSI breach did not constitute a “significant risk” of identity theft to consumers, it would seem that consumer concerns about this language is valid. Such a clause essentially leaves the decision in the hands of the company that experienced the breach to determine whether or not consumers should be notified. It is certainly in the interest of the company in question not to notify its customers of such a breach. In addition, several versions of the proposed federal notification bill will actually weaken the existing state laws, giving companies even more flexibility in determining when consumers should be notified and hamstringing the consumers’ ability to implement credit freezes.
In looking at the issue from the side of business, it could be argued that notification laws place an undue burden on businesses to notify customers of a breach, in some cases a suspected breach, when there has been no evidence that the information will be used to perpetrate fraudulent activity. For example, there is no evidence that the exposure of credit card numbers alone will result in identity theft.
In addition, federal law limits consumer liability for fraudulent purchases and the major card associations have adopted a ‘zero liability’ stance. These controls ensure consumers are not held liable for fraudulent purchases made on their accounts, so there is little, if any, financial impact on the consumer. However, if credit card numbers are compromised, a business must notify each potentially exposed customer. In addition to that expense, the notification results in an increase in the number of cards being reissued and may also mean that the company is responsible for credit monitoring services as well.
The intangible costs of notification can potentially be just as harmful. At present there is no way to estimate the loss of future business. The damage to brand equity that may result from the publication of a data security breach can be enormous. According to the “National Survey on Data Security Breach Notification” by the Ponemon Institute, 20% of consumers that received notification of a breach immediately terminated their accounts. Imagine, then, the effect such a notification would have on potential customers that had no such existing relationship with that business prior to the publication of the breach.
An additional point of contention for businesses is the punitive clauses that are built into the bills. While few of them offer guidelines as to how to protect sensitive data, they all offer civil or criminal liability to the company that suffers the breach. Even in the event that companies implement best practices in the securing of customer data, they may still be liable for the loss of that data. In fact some state laws enable victims of data breaches to sue for triple their damages, while other states may simply enjoin the business. In this case, the punishment does not fall on the criminal; rather it falls to the victim.
Another significant challenge with the notification laws as they exist today is the ever increasing number of different laws with which companies must comply. For example, the definition of personally identifiable information (PII) in California includes an individual’s first name or initial and last name combined with any of the following: SSN; driver’s license or state identification or account number, credit or debit card number, combined with any required info that allows access to account or any other financial info. Maine’s definition of PII includes those same elements but then adds passwords, access codes, or any other information that can be used for identity theft even if it does not include a person’s name. The sheer amount of resources required to maintain a watch over the requirements of the various states and then to ensure compliance with those regulations is staggering.
The larger problem is that “notification” is not going to stop the trend that has led to the introduction of these laws in the first place. They are the data security equivalent of treating the symptom and not the cause. Certainly informing consumers if there is a breach resonates with the public, but does not address the underlying cause of the breaches. The information security practices of private, and more recently of government, organizations have been highlighted as being deficient in the wake of recent data losses, yet the proposed laws do little to address this point. While some of the recent notification laws do address the issue of information security, most advise that companies implement industry “best practice” or take “due care” with the data in their possession. Such standards are extremely subjective and open to a great deal of interpretation. Data security experts, as do experts in most fields, thrive on debating over appropriate and adequate controls and nuances of language. One data security expert may be willing to endorse a control that another expert would not even consider.
An important distinction that is made in the laws, though, is that the notification is only required if unencrypted personal data is compromised. In fact, the proposed Data Accountability and Trust Act
(DATA) states that, ”The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data.” It should also be noted that the encryption of data must be accompanied by the secure management of the encryption keys in order to maintain the “no reasonable risk”
presumption.
The notification laws, while offering safe harbor for companies that encrypt data, do not offer guidance on an acceptable encryption standard. For those obligated to the PCI standard, this may be a moot point. The PCI not only requires encryption but denotes what standards are acceptable. The PCI requires that the cardholder number be encrypted using Triple-DES 128 or AES-256. By complying with the PCI, companies may be able to bolster their position relative to the notification laws. Granted the PCI standard is narrowly focused on cardholder information, but the same technologies used for protecting cardholder data can be leveraged across all sensitive customer data. The PCI offers an excellent level-set for protections surrounding any information which, if exposed, could trigger a notification requirement.
The notification laws may appear to be either overly burdensome or
entirely insufficient depending upon how you look at the issue.
However, both sides can be protected by encrypting the data in question. While many companies in the past have objected to the use of encryption on the basis of expense and network overhead, those objections are no longer completely viable, especially when compared to the expense of losing personal data that has been stored in clear text. Such a loss can be extremely costly. Gartner analyst Avivah Litan estimates the cost of a breach to be 15x the cost of encrypting customer records. The use of encryption can mollify the outcry from the public and the media while simultaneously protecting companies from the liability associated with the loss. The lesson here can be very simple: when in doubt, encrypt.
|
