Trends in Data Privacy and Breach Responses
As data privacy laws and best practices have become more numerous and complex, data breaches have become more frequent, and media coverage of related events has increased, companies cannot ignore the need to plan for breaches. It is not a question of if but of when a company will be forced to deal with a breach. Up-front development of an organized, timely, and appropriate response is essential not only for minimizing risk and maintaining customer loyalty, but for reducing the costs of a breach response when it occurs.
Once at most a peripheral issue, increases in legislation and publicity in an online world have pushed data privacy issues to the forefront of the public’s consciousness. In the first half of 2010 alone, companies such as Apple, Facebook, and Google have had public struggles involving data privacy and have drawn a significant amount of attention to the topic.
The Complexities of Data Privacy Legislation
The risk of unwanted media attention cannot be a company’s sole concern, however. Multinational companies must navigate regulations in every country in which they do business—or risk the consequences. Privacy laws vary from country to country, and the European Union has its own set of policies to which its member countries must adhere in addition to their own. In August of 2010 alone, breaches were reported in New Zealand, South Africa, Switzerland, and the United States.[1]
In the United States, there are different layers of legislation across types of information and levels of government. The Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Cable Communications Policy Act are examples of federal legislation which deal with certain information as used in specific industries. These policies and many other examples have been passed beginning more than 40 years ago, under different circumstances and with entirely different technological landscapes. Companies must fully understand and comply with the policies that relate to their industries. With ongoing congressional investigations into data collection and privacy issues even now, further changes can be expected.[2]
The complexities of privacy legislation are not reserved for the federal level. In fact, it was the state of California that, in 2003, passed what Eduard Goodman, chief privacy officer of the identity theft resolution service Identity Theft 911, called “the country’s (and arguably the world’s) first true data breach notification statute. ... [T]here are now a total of 45 states with breach notification statutes.”[3] These statutes vary from state to state.
Preparation and Protection
The constant change and complexities in the data privacy landscape can be dizzying to companies. This is why it is essential to be vigilant with regard to relevant issues: failure to comply with legal requirements or best practices compounded by failure to comply with relevant notification legislation can be an expensive lesson that costs companies customers.
Preparation
Waiting for a data breach to occur is an invitation for increased expense and potentially legal ramifications. Different jurisdictions and different types of information require different responses. For example, a breach of unsecured protected health information necessitates individual notifications without unreasonable delay and in no case later than 60 days following the discovery of a breach, according to the Health Information Technology for Economic and Clinical Health Act (HIPAA HITECH)[4]; whereas certain licensed health facilities in California must send notification of unauthorized access to, and use or disclosure of patients’ medical information within five days of detection of the incident.[5] However, companies experiencing a (non-health related) breach of personal information simply must notify affected California residents “in the most expedient time possible and without unreasonable delay.”[6]
Such dramatic differences in response based upon the information at hand and the location of any incident mean that, in short, companies should be intimately familiar with the appropriate data privacy legislation in the countries, states, and localities in which they do business. Any company dealing with information subject to data privacy laws should prepare an incident response plan which includes aspects ranging from defining terms, to the appropriate training of employees, to identification of government agencies you may be required to notify in the event of a breach.[7]
Depending upon their organization and in-house capabilities, companies may find value in establishing strategic partnerships to conduct breach response notifications. Considerations such as print-and-mail capability, call center capacity, or credit monitoring functions are often overlooked until the situation arises—at which point time is of the essence.
Protection
While preparation such as that described above is any company’s due diligence, there is something to be done first and foremost. “Americans have simply ‘put the cart before the horse,’ so to speak. ... The loss of over 345 million records of Americans since 2005 should confirm that simply providing notification following a breach has done little or nothing to stop security breaches from occurring in the U.S.”[8]
In other words, while it is essential that companies are prepared to respond to breaches in the event that they occur, it is both law and best practice to understand how to prevent breaches from occurring. There is no foolproof way to avoid breaches, but following best practices can have a substantial effect. A study conducted by the Verizon RISK team in cooperation with the United States Secret Service found that 96 percent of breaches were avoidable “through simple or intermediate controls.” Highlighting the importance of internal controls and training, while 40 percent of breaches were the result of hacking, 48 percent involved privilege misuse.[9]
Summary
While privacy and data security legislation goes back more than 40 years, the past decade has witnessed an explosion in industry-specific best practices and regulation at the national, state, and local levels. No company is immune to the risks of a data breach; however, a combination of preparation and protection can minimize those risks.
[2] “Lawmakers Seek Answers on Online Tracking,” by Julia Angwin, WSJ.com, Aug. 5, 2010, http://blogs.wsj.com/digits/2010/08/05/lawmakers-seek-answers-on-online-tracking/?KEYWORDS=data+privacy.
[3] “The New Massachusetts Data Security Regulation: Why 201 CMR 17.00 will change America’s privacy and security landscape,” by Eduard F. Goodman, originally published in Privacy and Data Security Law Journal, Vol. 5, No. 2, February 2010 at 124.
[5] California Health and Safety Code Section 1280.15.
[6] California Civil Code Section 1798.29(a).
[7] “Recommended Practices on Notice of Security Breach Involving Personal Information,” California Office of Privacy Protection, p. 11, Rev. June 2009.
[9] “2010 Data Breach Investigations Report,” Baker et al, of Verizon and the United States Secret Service, p2, 2010.
By Aaron Carlson, Consultant, September 2010.