Over-reporting vs. under-reporting data breaches

September 20, 2011 by bkrenek

The onslaught of significant data breaches in the past year has once again spurred legislators to push for national data breach notification legislation.  Such a cohesive law would replace the jigsaw puzzle of state legislation that has followed in the wake of California’s security breach notification law, or S.B. 1386, which was designed to ensure that companies alert customers when they are at risk for identity theft.

But less agreed upon in the rush to protect the public is the question of what qualifies as “risk” to consumers, and exactly when organizations should be mandated to reveal breaches.

Legislation that has been introduced includes the Personal Data Privacy and Security Act, sponsored by Sen. Patrick Leahy, requiring companies to disclose cyber attacks that jeopardize consumers’ personal information and making it a crime to conceal such a breach.  The bill would also mandate organizations that possess personal information to put in place “reasonable” security procedures to keep that data secure.

Other bills that have been introduced include the Secure and Fortify Electronic Data Act, sponsored by Rep. Mary Bono Mack, which requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed, at risk of penalties levied by the FTC.

But amidst a growing consensus that a national data breach notification law will make compliance stricter and less cumbersome for businesses while helping to protect consumers, there is concern that the bills afoot pose a danger of over-reporting data breaches, which can be as serious as that of under-reporting.

The Business Software Alliance, for example, believes that over-reporting of data breaches may lead consumers to ignore notifications, leading to the possibility that they won’t make arrangements to protect themselves from the risk of identity and financial theft.  The Alliance argues that Washington should adopt a higher threshold for data breach disclosure than the threat of “reasonable risk” to consumers; instead, the bar for notification should be that of “significant risk.”  Anything less than this will require companies to notify customers when a threat might be posed, which will add to the problem of breach notification fatigue that has some consumers tuning out warnings after they have actually been exposed to a real threat.

Until further breach notification laws have been sorted out at the state and federal level, for now it’s best to keep best practices about breach notification in mind as your company steels itself from the dangers of cyberspace and strikes the most responsible reporting balance.