In the United States of America, businesses are required by law to notify individuals of security breaches of information involving personally identifiable information. The scope of the laws varies from state to state, but they all typically include provisions around who must comply with the law, what constitutes personal information (PI), what constitutes a breach, and requirements for notice.
Typical PI under most state laws includes social security numbers, drivers’ licenses, state IDs, banking or credit information, and other financially sensitive account numbers. As the proliferation of cyberattacks continues to boom, and states introduce more rules and regulation, more and more companies are becoming aware of breaches and are having to notify consumers.
In a lively panel on US cyber regulation at the NetDiligence Cyber Risk Summit in Philadelphia, Travis LeBlanc, partner at Cooley LLP and vice chair of Cooley’s cyber/data/privacy practice, posed the question of whether data breach notification continues to serve a “legitimate, valuable and useful purpose” in every single instant for which reporting is required.
He challenged his fellow panellists, both from state Attorney General offices, with the notion that there’s “notice fatigue among the general population. Le Blanc said: “How many times has our information been breached, we’ve received a notice, and we’ve had to figure out what to do next? What happens is, people start to think: ‘My information’s out there anyway, so what good is another notification?’
“I know the law requires it - and notification certainly makes sense in a world where we’re talking about very sensitive data like social security numbers - but when you get to these broader breaches that involve personal information (PI), does the constant pursuit of notification continue to serve a valid remedial purpose for consumers?”
Fellow panellists Ryan Kriger, assistant attorney general at the State of Vermont Office of the Attorney General, and Timothy Murphy, deputy attorney general at the Office of Attorney General for the Commonwealth of Pennsylvania, both agreed with LeBlanc that there’s some element of notice fatigue among US consumers. However, both men argued for the relevance and importance of the legislation.
Read more: Cyber captive premium spikes – Aon
“I agree with the point about notification fatigue,” commented Kriger. “I’ve had people call me and they say: ‘OK, I’ve got this notification, what am I supposed to do now?’ They should do the same things you should be doing even if you didn’t get a notification. You should freeze your accounts, you should be looking at your credit card statements, and you should be looking at your credit reports. Everyone should be doing that, whether you’ve been notified of a breach or not.”
According to Kriger, there are three key reasons why businesses will want to have solid cyber security. The first is the regulations that are enforcing reasonable cybersecurity; the second is internal concern around losing valuable data and business information; and the third is loss of consumer data, thus breaching privacy laws. The difference between losing consumer data as opposed to losing internal data is that it doesn’t necessarily impact the business up front. Some companies suffer breaches for years and years before noticing that they’re leaking data, and that’s because there’s an element of “externality,” Kriger explained.
“I think the security breach notice acts perform a critical role, which is that they’re the only reason why most businesses are held accountable for how they’re breached,” he added. “The notice acts make businesses take account of having had a breach – it’s a shame and it’s a public acknowledgement that they’ve suffered a breach. That’s one of the reasons why these laws are really critical. They are, for many businesses, the motivation to have cyber insurance and to have counsel advising them on how to avoid breaches.”
In Murphy’s state of Pennsylvania, there are lots of consumers in rural areas that don’t have access to the internet or access to computers. They don’t experience the same “fatigue” of reading about massive data breaches on the front page of the New York Times or all over social media. For these consumers, breach notices serve an extremely valid and useful purpose, he told the audience.
“They rely on that notification,” he said. “Especially when it’s personal information like drivers’ licenses, banking information or social security numbers – I think for all of those things, it’s very important that consumers are notified every time a breach occurs. It’s very important that we think of those rural areas where people might not be watching the news, but they might have legitimate assets that they want to protect.”