Data breach notification is a wider topic than just focusing on the benefits or drawbacks of introducing laws to regulate it. There are other obstacles to overcome when considering how to approach legislation. In particular there is the issue of what level the “trigger point” for a data breach notification should be set at, and how to define it.
If the trigger point is too low, then there is a risk of authorities and customers alike being overwhelmed by notifications including those for trivial matters and breaches which will have little or no impact at all on the security of their identity or lives. People may simply end up ignoring them and not take precautions when necessary (something similar happened in Japan). This is also a risk with the current EU proposals which provide little detail as to which breaches require notification.
On the other hand, setting the bar too high could mean that customers are not adequately notified of more serious incidents. Organisations may choose not to notify except for the most serious breaches in an attempt to maintain better public relations. This also ties in with the definition of “personal information”. In California for example, legislators have included a list of information, the loss of which will automatically trigger an obligation to notify, including, for example, social security numbers.
Indeed, we could look to laws in the US to define a trigger point for notification in any new law. The Californian example is the original US data breach notification law, introduced in 2003, and the model on which most subsequent US laws were based, and so it is a good point of comparison to use.
The Californian Data Breach Law, contained in bill number SB 1386, applies to all state agencies, companies or individuals that conduct business in California. The law requires that breaches of security systems are disclosed to all Californian residents whose personal information has been or is reasonably believed to have been acquired by an unauthorised person. The officially stated purpose of the law is to give individuals warning that their personal information has fallen into the hands of an unauthorised person, so that they can take steps to protect themselves against identity theft or to mitigate the crime’s impact.
In a consumer context, the duty to notify customers is triggered by any breach of security where an individual’s unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Under the law, “Personal information” is defined as an individual’s name in combination with other specific pieces of information, including social security numbers, driving licence numbers, and account numbers or credit/debit card numbers with the security codes that would permit access to an individual’s bank account, as well as medical information and health insurance information.
Other states have adopted a more stringent notification trigger that requires a certain degree of likelihood of identity theft or harm to consumers. For example, Arizona’s statute is triggered where the breach “causes or is reasonably likely to cause substantial economic loss to an individual.” This can be very difficult to test.
Contrast this with the vague wording of the current EU proposals: “The subscribers or individuals whose data and privacy could be adversely affected by such breaches should be notified without delay in order to allow them to take the necessary precautions.” Although the proposals attempt to give examples of this adverse effect (identity theft or fraud, physical harm, significant humiliation or damage to reputation), these are only vague notions and difficult to judge (or prove) that they will be a direct consequence of a data breach.
Clearly there will be a lot of work needed to harmonise Member State implementation of such legislation, and the approaches taken by the Member State regulators.