Editorial: Let me make my own decisions, thankyouverymuch
The recent spate of hacks against Sony networks as well as a Congressional hearing where representatives of Sony and Epsilon testified about their recent breaches have stimulated another round of discussions about whether we need a federal breach disclosure law that preempts state laws, and if so, what the threshold or trigger should be for notification.
Security professionals and those who follow these issues have seemingly split on the issue of whether notice should always be provided. Some argue that if consumers were to be notified of every single breach involving their information, “breach notice fatigue” would set in, consumers would become numb, and they would wind up ignoring breach notices that might really require they take affirmative action to protect themselves. What’s the point, some argue, of notifying people of a breach if there’s nothing they can do to prevent harm? Those who take this position tend to argue that notice should only be required if there is some real “risk” to the consumer, usually framed as financial fraud or identity theft. Others agree there should be a risk threshold, but argue that some risks are greater than breached entities may acknowledge and/or that there are other kinds of risks, necessitating a lower threshold for notification than many corporations might want.
Yet other professionals and privacy advocates argue that every breach involving personal information should result in notification. For some, the rationale is that it is a matter of trust and ethics – that if a company promised to protect privacy and security and failed to do so, they need to let the consumer know. Others argue that entities that have been breached have a bias in determining the risk to the consumer and may underplay the risk so that they do not have the expense and potential reputation harm of having to notify consumers. And yet others – this privacy advocate included – argue that the consumer has a need to and right to make their own decisions about whether there is anything they need to do and they cannot make that decision if information is withheld from them.
Last night on Twitter, I tweeted, “So if 1m ppl might get confused/numbed, does that mean I don’t have to be notified when I want to be informed?” Somewhat stunningly, one of the discussants answered, “Yes.”
Even if 99% of the public doesn’t care if they are notified, even if many or even most people might suffer breach notice fatigue, I do not consent to my individual right to be waived by others. Paternalistic arguments about protecting me from breach notice fatigue fall into the same category as arguments for censoring content because children need protection and the government knows best.
If you collected my data, protect it. And if you didn’t, tell me. I’ll take responsibility for my action or inaction after that, but don’t cover up your security failure in my name. It just won’t fly.
I recognize that some will correctly point out that the only right I have is a right recognized by a court. That’s why it is so important for Congress to affirm consumers’ right to be informed of privacy or data breaches so that consumers can make informed decisions. We shouldn’t be told that what should be our decision has been outsourced to a breached entity or a federal agency.