We need more breach notifications, not fewer
Some topics are more than what Twitter can handle. The other day, I tweeted:
If bills in Congress are enacted, this #databreach wouldn’t require notification: http://bit.ly/qeqRmR I think it should.
I didn’t indicate why I think it should. Nevertheless, Jim Harper of Cato subsequently responded with his own tweet:
Data breach notice is making its way from a functional aid to ID fraud prevention to all-purpose penalty. http://t.co/wNQPd0T
It’s not clear to me why Jim seemingly interpreted my tweet as advocating for breach notifications as a penalty or for punitive purposes. In any event, we had a bit of a back-and-forth on Twitter that I thought I would elaborate upon here.
At the risk of putting words in Jim’s mouth (which he is welcome to spit out if distasteful), Jim seems to argue that businesses should only provide breach notifications if there are damages or harm to the individual. We didn’t quite get to how Jim defines “harm” or “damages,” and he did acknowledge that social embarrassment might constitute “damages,” but consider this tweet of his (emphasis added by me):
Negligence requires duty, breach (of the duty), causation, and damages. A data breach without damages doesn’t matter.
I disagree. There’s a fundamental flaw in thinking that unless you can demonstrate damages or risk of damages, data breaches don’t matter and don’t need to be disclosed. Consumers cannot make informed decisions about whom to trust with their business and their personal information if they are kept in the dark about security failures.
Suppose that on Tuesday, Company A has a data breach in which they discover that a company laptop containing customers’ names, contact details, and types of sexual aids purchased was stolen from an employee’s car where it had been left overnight. Because there were no credit card data on the laptop, Company A would probably not be required to notify consumers of the breach under proposed federal data breach notification laws (although they would be required under some states’ laws that would get preempted by the federal law).
Some might argue that if notifying the consumers doesn’t really help them as there’s nothing they need to do or can do, we shouldn’t require notification. But that neglects to give due weight to the fact that the customer who’s notified might decide not to trust that business again and that by failing to require notification, we will have deprived the consumer of information that they may need and/or want. Additionally, we cannot assume that because the breach is over and done with and there has been no immediate evidence of misuse of data, the same company won’t have the same security failure again next month or the month after that – or a similar breach involving even more sensitive data. Indeed, by allowing businesses to avoid having to disclose breaches, we take away what may be an important incentive to improve data security.
Jim and I agree that breach notifications are not a panacea. But I think they have more value than he does, apparently. Then, too, as Javelin studies consistently report year after year, those who receive breach notifications are 4x more likely to become victims of card fraud or other problems within the next 12 months. Do we really want to reduce notifications or do we want to ensure that consumers have a better way to assess their risks? A number of experts have suggested that consumers will get “burnout” and begin to ignore notifications if there are too many, but I think any such burnout is partly a function of how notifications are worded and that is an issue that can be addressed. Just as our government’s “orange” warnings on homeland security threats tended to be ignored over time, breach notifications will also be ignored if the notice and risk assessments aren’t commensurate or clear.
So no, I’m not saying that businesses should notify customers of breaches because I want to penalize the businesses. I’m saying they should notify because I think consumers should decide whether they need to do anything for the particular set of circumstances and whether they want to continue a business relationship with an entity. I think there are other ways to handle breach notifications so as not to make the process so costly, but cost is not a justification for failing to disclose a breach. Even if you view it as a matter of business ethics and transparency, if a business promised to keep your data secure and failed to do so, they should let you know.