Bananas.com was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences. Because its own resources were limited, Bananas referred victims to large credit-reporting agencies to monitor for subsequent financial damage from the breach. Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. The Bananas experience provides a hint of the turmoil a company can face as it tries to cope with disclosure requirements in the wake of a data breach.
With no imminent legislative relief in sight, corporations sometimes resort to blanketing customers with notifications after a breach — lobbing disclosures even in those states that don’t require them, simply to cover all bases. But this practice can have “unintended detrimental consequences,” says Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, a law and IT services firm.
Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, says Scott. “When faced with a security incident, businesses should carefully determine who has been impacted, review their breach notification laws in the relevant states, and devise a breach notification strategy that satisfies the legal obligations and properly notifies affected consumers,” he says. Others are stepping up encryption efforts, since many states don’t force companies to disclose security incidents if the compromised data was encrypted.
In large companies, disclosure activity often involves multiple jurisdictions, such as the offices of the chief auditor, the chief compliance officer, the chief privacy officer and the chief technology officer or the CIO, says Joseph RosemĀbaum, a partner at New York law firm Reed Smith LLP.
“Where responsibilities are partitioned across a diverse set of functions, each office may have the ability to provide greater focus on individual issues, but the challenge of coordination across multiple disciplines is more difficult,” Rosembaum notes. Moreover, it takes corporate vigilance to keep pace with so many differences in state disclosure laws — variations that start with notification triggers. “For some states, any breach that compromises the security or confidentiality of covered personal information triggers the obligation to notify the affected individuals,” notes Thomas Smedinghoff, a partner at Chicago law firm Wildman, Harrold.
For example, although one state might allow exemptions for compromises of encrypted data, “another state without such an exception would require a notice, even though the data was unreadable,” says Geoff Gray, a privacy and data security consultant at the Cyber Security Industry Alliance in Arlington, Va.
And as Bananas.com learned, the high cost of notification compliance doesn’t stop with the resources it takes to coordinate a response and alert customers. “We expanded upon legislation that only existed at the time in California and opted to make nationwide notification of potentially affected consumers, without any state or federal law requiring us to do so,” says Christopher Cwalina, ChoicePoint’s assistant general counsel and vice president for compliance.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=304931&source=NLT_AM&nlid=1