Transparency as Compliance with Data Security Regulation
How are data holders to comply with the swelling riot of data security laws? These laws include breach notification laws, which require that individuals and/or government be notified when the security of private data has been compromised. Perfect compliance is impossible.
Almost all the states have adopted breach notice laws – though they are not uniform – and legislatures are expanding the scope of the laws.
The original law from California (effective six years ago) focused on identity information – name plus social security number, driver’s license number or financial account number. Then the California legislature expanded its law to also include breaches of medical data. That expansion became effective January 1, 2009. Result? In the first five months of 2009, California authorities were notified of a whopping 823 healthcare data breaches, mostly through self-reporting by healthcare entities. That’s just one industry, in one state, in five months. And California authorities anticipate that the flow of notices will rise as people in the healthcare community become better aware of the new law.
A data breach can occur in myriad ways: a misdirected fax or e-mail, a hacking incident or snooping by an employee.
Meanwhile, we see floods of breach notices issued in other states and other industries – retail, nonprofit, colleges, financial, professional services, water districts, school districts, county government, municipal government, state government, federal government. No organization is immune. As these laws sit longer on the books, the flow of notices grows larger and larger.
Why are there so many notices? The reason is that the laws assume that 100% data privacy can reasonably be achieved. They further assume that any shortcoming (or suspected shortcoming) of data privacy should be an unusual event within well-managed enterprises. The assumptions are wrong.
The expectations of the public, and especially the expectations of policy makers, are out of touch with the reality of modern data management. These outsized expectations contribute to a growing risk of monetary liability on the part of data holders.
So what are data holders to do? Obviously they need to invest in data security, training and investigation – and they have been. But banks, schools, utilities, clinics, hospitals, merchants and government agencies can throw massive investments at this problem and never meet present expectations.
Wise organizations will start talking in public about data security. I recently recommended to a municipal power utility that it convene public forums on the topic, and involve community leaders such as representatives from the city council and the state's attorney general's office. Organizations like a power utility need to inform the public about how challenging and expensive it is in reality to protect 100% of the data 100% of the time. They need to explain in detail why it is impossible to close off all security risks while performing their regular services to the public. And they need to seek input from stakeholders.
No, mere publicity and public dialog will not absolve organizations from issuing breach notices in compliance with law.
But transparency – candid, open disclosure of problems in advance can influence how harshly authorities, such as courts, attorneys general or consumer protection agencies, interpret and enforce these demanding laws. Our legal system has long held that organizations will be treated more leniently when they display diligence toward compliance with difficult laws.
Update: Even e-mail security vendor McAfee inadvertently broadcast via e-mail a spreadsheet containing details (including dietary preferences) of some 1408 conference attendees.
Update: A data leakage audit of a Boston CPA firm revealed that staff made an astonishing 3200 data security slip-ups over the course of the 38-day audit. This is a firm that believed it possessed the required policies and technology to protect data. Jackie Noblett, “One Firm’s Story: Your Data Isn’t As Secure As You Think,” Boston Business Journal, Dec. 26, 2008.
Another update: A survey shows that mere accidents by employees account for far more data security breaches than do malicious actions by insiders.
One more update: IT Security breaches soared in Canada in 2009. The Globe and Mail, September 29, 2009.
–Benjamin Wright
At the SANS Institute, Mr. Wright teaches computer security law, where he stresses that a cyber-security program must include effective public communications.
Recent Comments