By Eduard Goodman
The main reason why? Legislators are asking for a 14-day notification timeframe, but that can lead to a number of problems. Responding to a breach is complicated. Organizations first need to determine if a breach actually happened, identify who was impacted, what information was exposed—and by what methods—and then determine the harm that was done.
Rushing that process can lead to these headaches:
1. Multiple notifications will confuse consumers. Companies most likely won’t be able to get all the information they need for a notification in two weeks. They’ll be forced to provide initial notification quickly, and they will then be compelled to follow up with additional details as more information comes to light. This over-reporting provides little benefit to consumers. Instead, they’re apt to find themselves confused and upset.
2. Communications may be sent to the wrong address. Depending on the nature of the business and the age of the breached data, the organization may not have time to confirm it has the right contact information for the affected parties before the notification clock runs out. Sending notifications to the wrong physical or electronic address will only further bungle any breach response.
3. Required credit bureau notification may amount to wasted effort. Proposed new language also requires businesses to notify the credit bureaus after a breach, but this is an outdated concept that often does nothing more than generate more work for the breached organization and leave consumers open to marketing contacts. If Social Security numbers (SSN) or other specific data sets haven’t been exposed, then notifying the credit bureaus provides little benefit.
4. Suggested standard language may not apply in all breach situations. Standard language is being suggested for notification letters, but different breach types render some of the universally required language unnecessary. The advice contained in each letter should relate to the specific data types that were compromised, such as payment card numbers, email addresses, medical information, etc.
5. Limited notification is bad for consumers. The revised regulations also call for notification only when names are exposed in conjunction with another type of data, such as SSNs or account numbers. But a compromised SSN can be damaging in and of itself. The name is just a bonus. In today’s world, the risk of fraud exists even when only a single piece of data is released.
6. Electronic notification is problematic. Consumers may think an email offering credit monitoring or other services is spam or a scam. This is especially true in the case of organizations that typically communicate with customers via snail mail, such as utility companies. Emailed messages could also end up in consumers’ junk box without them ever knowing they existed. Instead, the regulations should stipulate that notice be based on the method most likely to actually reach consumers based on the prior relationship.
The proposed amendment’s impacts to the business community must also be considered in light of its impact on the public. By adding unnecessary costs there may be fewer resources available for the business to support consumers. The more a business must put towards meeting overly stringent timing guidelines thought up by academics and politicians, the less it will have to spend on affected consumers like you and me and on preventing future incidents from occurring.
Eduard Goodman is chief privacy officer at IDT911.