Breach Notification: Even Those Who Know, Don’t Know Enough

Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws. These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.

When Spec’s liquor stores, a Houston-based retail chain, admitted that more than 500,000 customers had critical financial information stolen, they also revealed that the company had not disclosed knowledge of the data breach for over a year, at the request of investigators. This request makes it entirely unclear as to who data breach disclosures are intended to protect, and what the information contained within them reveals.

To better understand what information is contained within breach disclosures, we requested through the Freedom of Information Act (FOIA) records of disclosures made to the Commonwealth of Massachusetts within the healthcare industry for the period of 2007 - 2011. While the data showed that over 1 million Massachusetts residents had PII compromised as a result of a data breach, most shocking is:

  • Greater than 40% of the reported breaches were from organizations who had reported a previous incident

  • Greater than 60% of reported incidents were unable to identify when the breach started

  • Less than 20% of the reports could identify if the reported breach had ended

  • On average breaches were discovered 198 days after they began

It’s clear that not only do these disclosures fail to inform consumers, they also fall short of holding breached organizations accountable.

As we have stated previously, inconsistencies in state reporting and timeliness requirements have illuminated the need for a national standard. In February Attorney General Eric Holder called on Congress to act, stating that such a law would “enable law enforcement to better investigate…” Despite mounting pressure Congress has yet to move on such legislation. Efforts to institute federal disclosure laws continue to be hampered by the competing interests of states rights, corporate, and consumer advocates.

While public companies are not required to disclose threats or attacks, cybersecurity is subject to the same “materiality” standards that govern other SEC disclosures. The challenge is avoiding “boilerplate” admissions in favor of meaningful disclosure, while simultaneously ensuring that this information does not provide a roadmap to a company’s vulnerabilities. While public companies such as Target and Adobe may be compelled by the SEC to inform consumers of a “cyber incident” there is no standard for privately held companies, which may pose an even greater threat to consumers and third party risk. We must raise the bar by incentivizing the right behavior through comprehensive national standards that include clear definitions of what constitutes a breach and require disclosure of all incidents that impact PII, confidential business information and compromised systems.