The Case For Equity In Breach Notification
By Don Peppers and Martha Rogers Ph.D.
A review of the new federal data privacy and security bill reveals a troubling double-standard: private-sector companies would face criminal prosecution for willful concealment of a security breach while public agencies engaging in the same conduct would be off-limits for identical punishment.
The Leahy-Specter Personal Data Privacy and Security Act of 2007 has ignited behind-the-scenes outrage in the private sector that public agencies – responsible for multiple and in some cases, repeated security breaches – would not be held to the same standard of reporting. Privacy watchdogs, meanwhile, believe the bill likely will be significantly diluted as it makes its way toward an uncertain vote. Whatever the outcome, the initial inequity – as obvious as it is – has led to private griping rather than head-on public attacks. Attempts to discuss the issue with the bill’s sponsors, Sen. Patrick Leahy (D-Vt.) and Sen. Arlen Specter (R- Pa.), were futile as staff for both senators failed to respond to requests for comment about the bill’s inexplicable absence of accountability for government agencies.
“Should the government be required to protect information just like private entities do? Absolutely,” remarked Marty Abrams, Executive Director of the Center for Information Policy Leadership at Hunton & Williams LLP.
Irrespective of the scope of the TJX (T.J. Maxx/Marshall’s) breach – the company announced in late March that information from 45.7 million credit and debit cards had been siphoned from its systems – a substantial percentage of the larger-scale thefts have taken place under the semi-watchful eye of the government and its partners. In May 2006, the U.S. Department of Veterans Affairs announced that it had potentially exposed personal data (names, Social Security numbers (SSNs), birth dates) of veterans and their families when an employee took home a drive containing sensitive personal data on as many as 26.5 million people.
Like the privacy and security problems with private-sector vendors, the public sector also has experienced the fallout of a vendor’s error. For example, at the end of 2006, a company working for the Wisconsin State Department of Revenue printed SSNs on the outside of tax booklets sent to state residents. The company, Ripon Community Printers, tried to get the state to quash the news, arguing that nobody would have identified the digits as SSNs, as they weren’t separated by dashes, and that publicizing the incident would alert would-be identity thieves to the breach.
Under the Leahy/Specter bill, the government and its partners continue to get off with an apology and some credit monitoring for such breaches and notification failures or delays. While such “penalties” have the potential to be costly, they hardly compare to the proposed criminal sanctions for private entities. And there’s no explanation for the discrepancy between the treatment of private and public entities.
“It’s a very valid question. This bill sound-bites very well, but you can poke holes in it when you take a closer look at it,” said Dave Morgan, Founder and Chairman of behavioral targeting ad network TACODA.
Nobody expects this issue to be addressed anytime soon. In fact, most believe it’s a toss-up whether the bill will survive the poking and prodding of various Congressional committees.
“One hundred million people have had their data breached or exposed over the past couple of years. If that’s not enough to get action, what is?” asked Alan Chapell, President of privacy/security consultancy Chapell & Associates.
Shannon Kellogg, Director of Information Security Policy in the office of government relations at security firm RSA Security, bases his uncertainty about the legislation’s ultimate fate on the ever-brisk pace of technological innovation as well as the proven ability of hackers to stay ahead of the good guys.
“It’s great to put something down on paper, but threats, particularly in cyberspace, continually evolve,” he explained. “Today you might want to tell everybody, whether it’s private [companies] or the government, to do X, Y and Z. Tomorrow those actions might not address the problems at hand.”
One thing is clear, however. Before consumers will trust their governments or the private sector with their personal information, there has to be a policy to promote accountability for protecting the data. Unfortunately, punishing the private sector alone is only half a policy.