Should Consumers Be Notified Of Every Data Breach?

The Government Accountability Office issued a report on July 5th concerning the issue of consumer privacy and data breaches in response to several bills in Congress that carry a national notice requirement. The GAO was asked to assess the costs and benefits of such a requirement. There’s good news and (sorta) bad news. First the good news:

    • Even though data breaches happen fairly frequently, they are less often used for ID theft purposes that you might expect.
    “For example, in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that 3 included evidence of resulting fraud on existing accounts and 1 included evidence of unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, there was not sufficient information to make a determination.”

    Now, the bad news:

  • The Government Accountability Office is concerned about the costs and challenges involved for companies if they are required to notify consumers of every data breach.
  • The full extent of the connection between info breaches and ID theft is unknown, because it’s difficult to connect ID theft to where the information was stolen from.
  • The Government Accountability Office recommends that a “threat level” type system be used to determine if the breach warrants notification. They claim that using such a risked based approach, “could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk.”

    The report claims that it has “no recommendations,” but the language of the report suggests otherwise. Consumer advocates are taking issue with the GAO’s “not-a-recommendation” of a risk-assessment plan, in part because they believe that every consumer who has been the victim of a data breach should know about it, and also because the connection between data breaches and ID theft is difficult to assess, thus making it somewhat unbelievable that an accurate and useful risk-assessment program could be created.

    The GAO does point out that requiring disclosure of data breaches would likely have a positive affect on security, but seems very concerned about the associated costs.

    Michelle at Consumer’s Union says about the report, “Consumers Union thinks that because law enforcement and business associations can’t even say how often data breaches lead to harm, letting each business that has a security breach decide not to tell individuals about the breach because the business hasn’t determined that there is a risk of harm to consumers would be a very big loophole in any notice requirement.

    We believe the consumer should always know.”

    Who should decide if you get notice of a security breach? [Financial Privacy Now]
    Personal Information Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent Is Unknown. (PDF) [GAO]
    (Photo: ellimac)

  • Comments

    Edit Your Comment

    1. B says:

      Yes. Consumers should be notified every time there is a data breach. If it’s too expensive for companies to notify their customers, then they should spend more money securing the data.

    2. bnet41 says:

      Data breach is not clearly defined here. Even companies with the best security get breached on occasion, but not every breach involves credit/personal information. I think notification should only go out when the breach has reached personal information, which should be encrypted anyways. Some hacker breaking into the receptionists OWA(Outlook Web Access) account is not the same as a hacker getting past the VPN or firewall into servers.

    3. Steel_Pelican says:

      @B: Exactly. If a company produces an unsafe product, they have to announce the problem and recall the product. I feel it’s within reason to expect a company to announce other potential breaches of their client’s safety.

    4. vladthepaler says:

      Um. The more money data breaches cost the company whose data is breached, the better. Cost is the only incentive companies have to keep data secure. If they’re required to tell people about security breaches, and telling people about security breaches is expensive, maybe they’ll decide it’s cheaper to keep their data secure.

    5. Trai_Dep says:

      Awwww, poor lil companies that recklessly expose our personal data, condemning us to lose man-months of our lives arguing with banks, credit reporting agencies and loan officials (but the experience is so wonderful!) don’t want to be burdened with letting us know every time they’ve (potentially) trashed our lives. Partially because those identity thieves don’t politely leave us a note charting from which company each personal breach came from.

      Poor babies!

      Hey, I have an idea: if you don’t want to tell us that you gave away our personal info, don’t lose it!

      Better still, any time a company loses personal data of any customer (most of which don’t have a choice in giving it to them), automatically, the top 20% of the corporation, by total compensation, must broadly publish every iota of their personal data. And Federal charges filed if they use company resources – or hire lackies – to deal with the armegeddon that results.

      And, judging by this “brilliant” idea, the people that run the GAO that think this is a great idea.

      What… IDIOTS.

    6. joopiter says:

      @Steel_Pelican: @B: Agreed as well. When a data breach has reached a customer’s sensitive data, it should be required that notification go out in a timely manner regardless of how much it would cost the company to do so. Customer notification in that kind of situation should now be one more cost of doing business in the information age, just like actually securing the data should be.

    7. B says:

      @bnet41: That’s why I specified Data breach, not network breach. If there is unauthorized data access, consumers should be informed. If there is no way to know, there should be safeguards put in place that monitor when there is unauthorized data access.

    8. ladycrumpet says:

      Having just received such a notification – from a company called Certegy Check Services, who let me know that an employee stole information and sold it to a data broker who then sold a portion of it to direct marketing organizations – I can vouch for consumer notification. I already believed that people should be notified, as soon as possible, so they can be alert to any weird activity, but this experience just drives it home.

    9. Trai_Dep says:

      The proper term for this is an externality. As in, when a mining company strip-mines vast tracts of land, lacing it with arsenic then moves away, leaving everyone else (taxpayers) to pay for cleaning up the mess. Looks great on their balance sheet, since they’ve shifted the real, total cost to someone else.

      This is the same thing, and is as odious. Beyond notifying everyone, they should have to pay more – a lot more (and have to release personal data of their execs).

      Otherwise, they’ll merely snicker, shrug and move on to the next “mistake”.

    10. joopiter says:

      @ladycrumpet: I got that same letter last night.

    11. alk509 says:

      The GAO was asked to *ASSES* the costs and benefits [...]

      Oopsies! :-)

    12. hollerhither says:

      @Vlad — yeah, what you said.

      I will never understand the theory, supported passionately by the executive branch and a good number of our legislators, that eliminating corporate regulation and shifting the burden to the consumer somehow strengthens the economy. I’m still waiting for that “trickle-down effect,” myself, and I’m not talking about having a company s*** all over me — that’s happened plenty of times…

    13. ladycrumpet says:

      @joopiter: That bites! :p

    14. Aeroracere says:

      @joopiter: Ditto here. Shouldn’t they be footing the bill for credit monitoring services for the next 24 months, rather than telling us we should?

    15. royal72 says:

      yes of course they need to report every single one and definitely assign a “threat level”, because you need more fear in your life.

    16. axiomatic says:

      YES. Y E S!!! Y. E. S. ye-eh-us

    17. joopiter says:

      @Aeroracere: Yes they should. But that’s about as likely as them telling us the name of the employee who stole our information so we can *ahem* have a few words with him/her. I think the really annoying thing about this particular incident is that we’re not actually customers of Certegy. They gather up information on us, fail to keep it safe, we’re left to clean up the mess if something does happen and we never actually agreed to do business with them in the first place.

      On a humorous note, I opened my letter just as I sat down to watch Hell’s Kitchen and damn if I didn’t out-swear Gordan Ramsay. :)

    18. rhombopteryx says:

      @bnet41: (and B)

      Data breach IS defined in the laws the GAO is talking about, though – and it’s pretty much exactly just what you are recommending – certain types of personal data.

    19. pete says:

      IBM notified former employees of a data breach in June via USPS, four months after the incident occured. Although IBM has offered to pay for a year of credit monitoring, former employees aren’t too eager to give up their personal information to another institution – and I can’t blame them! Check out the thread here: [www.beingpeterkim.com]

    20. mac-phisto says:

      ok, this isn’t entirely fair though. not all data breaches exist within the first- & second-party relationship. perfect example is the tjx breach. banks & credit unions – large & small – shouldered the burden of notifying their customers & closing/reestablishing accounts. at best, they can make a bond claim for incurred costs (& then watch as bond premiums rise across the board whether or not their customers were affected by the breach).

      the most important thing here is transparency. the perceived guilt that corresponds to admitting to a network intrusion alone could persuade key decision makers to cover up intrusions. add in a layer of g-men, the possibility of massive fines & imprisonment & you’re guaranteed to remove the transparency that currently exists between law enforcement & business. in almost every case, the criminals are not the companies here – why redirect punishment & resources from the true source of the problem?

      finally, it’s important to remember that not all intrusions can be prevented. period. there are thousands of ppl working nite & day to hack info systems. & there’s thousands more combating intrusions 24/7 on even the most secure systems. despite that, if someone is motivated/talented enough, they will bypass the security.

    21. hoo_foot says:

      @ladycrumpet: Holy hell, I just received the same notice from Certegy yesterday and was going to make a comment about it. Was quite pissed off to find out that a company I’ve never even heard of managed to lose my financial information. And to this day, I STILL don’t know what company I do business with gave Certegy my information.

    22. mac-phisto says:

      @hoo_foot: certegy, a division of fidelity information services (one of the largest “backend” banking processors in the world) is primarily a check verification service. most likely they obtained your information when you wrote a check at a merchant that contracts this service with them.

    23. aikoto says:

      Yes they should. Because if people got a breach notification every month, they’d probably find a new service. Under that kind of pressure, maybe companies would work harder to prevent breaches or might even *gasp* stop raping us for information we don’t want them to take and keep anyway!

      And of course, almost none of this would matter if we had credit freeze protection.

    24. mac-phisto says:

      @jeremyduffy: not true. sometimes, we as consumers don’t necessarily have a choice – such as with certegy. you would have to avoid a large percentage of merchants to avoid winding up in certegy’s database – even if you never write a check.

      other times this negatively impacts the wrong company. in the tjx scadal, everyone is focusing their sights on tjx, when in reality a good portion of the blame lies on fifth-third bank. there’s a lot of customers that closed their accounts at their financial institution b/c they misread it as a problem on their side.

      also, if stores must attempt to notify you in case of a breach, expect them to maintain more information in order to comply with regulations.

      as i type this, my co-worker is reading thru three separate notifications of data breaches. nice.

    25. CTTC says:

      There have been 145 data breaches so far in 2007 from financial institutions, universities, retailers and governmental agencies producing over 58,000,000 at-risk records for potential identity theft. The most significant factor in determining whether those at-risk receive notification is financial – according to the Ponemon Institute study published in November, 2006, the average cost of dealing with a data breach rose to $182 per person. Lower the cost per record of a data breach and notification, and this factor becomes workable, so that these millions of people receive appropriate notice.

      IDSafeBIZ from Identity Theft America has attacked this financial consideration head-on, by allowing businesses to participate in a membership program that pre-plans for an actual data breach event. The program provides a complete written response plan if the member company experiences a data breach and locks in the cost to respond at $2.00 per person, which includes mail notification, call center, fraud alerts, services for those affected and more.

      “IDSafeBIZ is a complete solution which protects consumers at an affordable price and protects the integrity of the business,” says Sally King, president of IDT Alliance, Inc., a nationally recognized marketing and consulting organization working with many of the nation’s leading financial institutions.

      Bills to create a unified breach notification law for all 50 states have been introduced but not passed at the Federal level. Without a federal mandate, few states have adopted laws that require consumer breach notification, with some only requiring firms to notify consumers if there is a “reasonable likelihood of harm” to the individual, with the term “reasonable likelihood of harm” open to subjective interpretation by the breached firm. While the breached organization pays the response cost of the breach, the fee is likely passed on to the consumer in the form of increased cost, taxes or tuition. A federal data breach notification law could be a double-edged sword.

      Sometimes an indirect issue opens the public to risk – for example, a firm shipping an insured, encrypted disk containing 200,000 personal records with a well-known overnight delivery service may unexpectedly discover the delivery service has mislaid the disk. A federal law requiring breach notification might cost a company millions of dollars and put the firm out of business; it is also possible lack of a federal requirement of breach notification might result in a poor reaction to the data breach by the company, which impacts the company in a myriad of other ways: loss of customers, slowing the firm’s growth, loss of vendors and contracts, to resulting in a business closing.

      “At minimum, companies should evaluate all available options,” adds King. “With a cost-effective solution such as IDSafeBIZ within reach, it makes smart business sense to implement a solution before a crisis happens.”

      Learn about IDSafeBIZ at [www.IdentityTheftAmerica.com.]

    26. ekistics22 says:

      I agree. Consumers should be notified PROMPTLY by the company that has their personal data and has a data breach… ESPECIALLY when that company is a prior employer. Unfortunately, much of the media coverage so far ignores data breaches by former employers… and we all have former employers. I am one of the people affected by IBM’s data breach. I write a blog about the identity theft issues related to former employers and how long companies like IBM choose to archive our personal data:
      [www.ivebeenmugged.typepad.com]