The landmark California regulation that was passed in 2002 requires companies to go public when they've experienced a data breach. Today, eight years later, most states have passed their own version of that seminal legislation, and even the federal government is debating whether to pass one. Other nations have passed similar laws as well. The legislation varies state by state: for example, many US states provide safe harbor from sending data breach notification letters to clients if the information was protected with encryption software like AlertBoot endpoint encryption; other states do not. Some states allow companies to determine whether a breach notification is necessary; other states do not. But there is one thing in common among all the states' laws: in no instance do the laws penalize a company for suffering a data breach, as far as I can tell. Instead penalties and fines are assessed for instances where a company does not report a data breach, assuming such legislation is in place. Technically, if a junior banker loses a laptop full of client account numbers and routing codes, because he decided to take said laptop on an all-night partying and drinking binge, well, the company's safe as long as they report the data breach. (And, again, in some states they're OK even if they don't report it.) Of course, the public relations fallout and any other regulators--from the banking associations, for example--might not be as forgiving about the breach. And the same goes for the bank in relation to the junior banker: he most probably will get fired. However, it still remains that the breach laws cannot penalize the company. Which is weird. Generally, the law tends to ensure penalties are assessed for things that are bad for society. And personal information data breaches are bad for society. So what's going on here?
The landmark California regulation that was passed in 2002 requires companies to go public when they've experienced a data breach. Today, eight years later, most states have passed their own version of that seminal legislation, and even the federal government is debating whether to pass one. Other nations have passed similar laws as well.
The legislation varies state by state: for example, many US states provide safe harbor from sending data breach notification letters to clients if the information was protected with encryption software like AlertBoot endpoint encryption; other states do not. Some states allow companies to determine whether a breach notification is necessary; other states do not.
But there is one thing in common among all the states' laws: in no instance do the laws penalize a company for suffering a data breach, as far as I can tell. Instead penalties and fines are assessed for instances where a company does not report a data breach, assuming such legislation is in place.
Technically, if a junior banker loses a laptop full of client account numbers and routing codes, because he decided to take said laptop on an all-night partying and drinking binge, well, the company's safe as long as they report the data breach. (And, again, in some states they're OK even if they don't report it.)
Of course, the public relations fallout and any other regulators--from the banking associations, for example--might not be as forgiving about the breach. And the same goes for the bank in relation to the junior banker: he most probably will get fired. However, it still remains that the breach laws cannot penalize the company.
Which is weird. Generally, the law tends to ensure penalties are assessed for things that are bad for society. And personal information data breaches are bad for society. So what's going on here?
Well, the problem lies in that no one wants to come forward regarding a data breach. Companies especially don't want to come forward if they're going to be penalized as a result. Sure, maybe a company has in its mission statement something about the "welfare of their clients" and whatnot, but consider the financial impact of a breach: Cost of notifying clients (the law usually requires first class mail) Cost of setting up toll-free numbers where clients can call for more information Cost of running security audits; patching and updating weaknesses; etc. Costs for defending against lawsuits due to the breach Cost in offering identity theft protection, credit protection, etc. Costs associated with lost productivity--someone's got to run and write the reports to show to auditors and others Potential costs of client turnover Tack on substantive fines on top of these and, of course, the hiring of lawyers to defend the company against levying such fines (companies have to pretty much defend themselves against everything; to do otherwise would mean the C-level guys are in breach of their fiduciary duties to shareholders), and you've got to imagine that some companies will not be as forthcoming. At the same time, one's got to admit that there's no way to prevent data breaches 100%--the flipside of that coin meaning that the chances of a breach are pretty much 100%. When you know that the chances of a breach equal certainty, well, does assigning penalties even make sense? Consider, too, the reason behind breach notifications: ultimately, it's the companies' clients--you know, people, average joes--that are disaffected. Hiding a data breach, or not reporting it as soon as possible, means that it's the clients that will suffer the most. It only makes sense that there wouldn't be any legislation gunning for companies that have a data breach: the idea is to encourage companies to do the right thing and come forward. Incidentally, that's the reason why companies are penalized for not reporting a data breach: another encouragement for doing the right thing. And, of course, the safe harbor provided by many states when employing encryption is basically to encourage companies to use this method of data protection.
Well, the problem lies in that no one wants to come forward regarding a data breach. Companies especially don't want to come forward if they're going to be penalized as a result. Sure, maybe a company has in its mission statement something about the "welfare of their clients" and whatnot, but consider the financial impact of a breach:
Tack on substantive fines on top of these and, of course, the hiring of lawyers to defend the company against levying such fines (companies have to pretty much defend themselves against everything; to do otherwise would mean the C-level guys are in breach of their fiduciary duties to shareholders), and you've got to imagine that some companies will not be as forthcoming.
At the same time, one's got to admit that there's no way to prevent data breaches 100%--the flipside of that coin meaning that the chances of a breach are pretty much 100%. When you know that the chances of a breach equal certainty, well, does assigning penalties even make sense?
Consider, too, the reason behind breach notifications: ultimately, it's the companies' clients--you know, people, average joes--that are disaffected. Hiding a data breach, or not reporting it as soon as possible, means that it's the clients that will suffer the most.
It only makes sense that there wouldn't be any legislation gunning for companies that have a data breach: the idea is to encourage companies to do the right thing and come forward.
Incidentally, that's the reason why companies are penalized for not reporting a data breach: another encouragement for doing the right thing. And, of course, the safe harbor provided by many states when employing encryption is basically to encourage companies to use this method of data protection.
The problem with these breach notification laws is that they're a form of defense after the crime. An ounce of prevention is worth a pound of cure, right? So is there any way to be more proactive when it comes to data breaches? Well, it's debatable. Let's say the government passes a law requiring the use of disk encryption on any laptops that may contain sensitive information--not ifs and buts. Well, that's great and all, but what's important is not that the laws were passed; the point is whether people comply with those laws. Otherwise, we're still stuck in the same situation. How can we tell that companies are complying with such laws, assuming they are passed? The only way to know for sure is to inspect companies, by performing an audit. Just like the Health Department does when inspecting restaurants for health code violations. Obviously, the government can't audit all companies. And, auditing the top companies only--say, Fortune 1000--would not quite make a dent on the problem: Census stats show that firms with 500+ employees comprise less than 1% of all firms in the US, but breaches of massive amounts of data can come from pretty much anywhere. You can see where this is going: it's going to be pretty much impossible to ensure everyone's following a law designed for better data security and enforce it.
The problem with these breach notification laws is that they're a form of defense after the crime. An ounce of prevention is worth a pound of cure, right? So is there any way to be more proactive when it comes to data breaches?
Well, it's debatable. Let's say the government passes a law requiring the use of disk encryption on any laptops that may contain sensitive information--not ifs and buts. Well, that's great and all, but what's important is not that the laws were passed; the point is whether people comply with those laws. Otherwise, we're still stuck in the same situation.
How can we tell that companies are complying with such laws, assuming they are passed? The only way to know for sure is to inspect companies, by performing an audit. Just like the Health Department does when inspecting restaurants for health code violations.
Obviously, the government can't audit all companies. And, auditing the top companies only--say, Fortune 1000--would not quite make a dent on the problem: Census stats show that firms with 500+ employees comprise less than 1% of all firms in the US, but breaches of massive amounts of data can come from pretty much anywhere.
You can see where this is going: it's going to be pretty much impossible to ensure everyone's following a law designed for better data security and enforce it.
Personally, I don't think that auditing all companies would even work, even if it were possible. We must remember that it's generally people that are allowing breaches to occur: sure, hackers can gain access to sensitive information on databases due to patches not being applied correctly; because there are bugs in the code; etc. But, a good 33% of the data breaches in the US occur due to good, old theft: break-ins to cars and homes, loss and misplacement, surreptitious lifting while at the coffee shop, etc. Considering this, legislation that penalizes companies may not necessarily be the answer.
Personally, I don't think that auditing all companies would even work, even if it were possible. We must remember that it's generally people that are allowing breaches to occur: sure, hackers can gain access to sensitive information on databases due to patches not being applied correctly; because there are bugs in the code; etc.
But, a good 33% of the data breaches in the US occur due to good, old theft: break-ins to cars and homes, loss and misplacement, surreptitious lifting while at the coffee shop, etc.
Considering this, legislation that penalizes companies may not necessarily be the answer.
Related Sites and Articles:http://www.census.gov/epcd/www/smallbus.html