The recent $10 million settlement of the Target data breach demonstrates why we have data breach notification all wrong.
We use data breach notification as a means to punish companies that have suffered a data breach. We treat companies like Target, Home Depot, Anthem and Premera as criminals and tortfeasors; we demand that they pay millions of dollars for “allowing” a breach to occur.
We essentially demand guarantees of privacy and security from data holders, data collectors, and data processors. We want our data to be secure.
We want the impossible. And we punish vendors for not being able to deliver it. The main way we punish vendors is through data breach disclosure laws.
It’s not that entities can’t do a better job of security. After the fact, it all looks so easy. Some entities do virtually nothing to secure their infrastructure (and our sensitive data). Some do a lot. Few do enough.
But even those who have multi-million dollar budgets, tight information security programs, and are trying to do the “right” thing – even they will have data breaches.
Right now (and this can change) we have to assume that data is not secure – or securable. It can be “better” secured, it can be “reasonably” secured, but it can’t be secured. Well, it can’t be secured AND accessible and useful.
Why We Have Data Breach Disclosure Laws
The first “data breach disclosure” law was California’s SB 1386. But the law didn’t start out as a data breach notification law. It started out in February of 2002 as an amendment to the public records law. Four months after its introduction, the bill was amended to essentially strike all of its provisions, and turning it into a data breach disclosure law. So what happened?
In April of 2002, hackers broke into the servers at a data center called the Stephen P. Teale Data Center in Rancho Cordoba north of Sacramento. That’s the data center for running California.state.gov and a bunch of other services for the golden State. The hackers exploited a .sql database vulnerability and made off with SSN’s and payroll data of 265,000 state employees. Or, what we would call in 2015, “Thursday.”
But, these were no ordinary state employees. The data center also hosted the personal data of, among others, the Governor, the Lieutenant Governor, and all of the members of the California legislature. Within weeks, the lowly public records amendment morphed into a data breach disclosure law. The legislative history of the statute explains why the law changed. The history notes:
The recent incident at the Stephen P. Teale Data Center which saw the personal financial information of hundreds of thousands of state workers fall into the hands of computer hackers is a dramatic demonstration of an all too common event – a breach in data base security which exposes victims to the further harm of identity theft. In the Teale incident, authorities knew of the breach in security almost a month before state workers were told. We can at least be thankful that victims were given the opportunity to take protective measures based upon notice of the event – albeit late notice.
So the problem the California legislature was trying to deal with was NOT computer security. It was NOT trying to “punish” the Teale Center for having a breach.
Legislators were upset that, by delaying notification to the data subjects, the agents of the government exposed the victims to further harm and damages – particularly what they called “identity theft” but was more accurately described as identity fraud.
In other words, you tell your customers about the fact that you have been breached so they can take remedial efforts to limit YOUR damages.
When your credit card number is stolen, you want to know about it so you can do things like check your credit card statement for unauthorized charges. And check your credit report for unauthorized applications for credit. And check other personal information for changes or attempted changes, and where necessary, take remedial efforts like contacting law enforcement, getting new credit cards, changing account passwords or things like that. The purpose of NOTICE is to protect the company that suffered the breach from having the damage continue.
So the presumption is that you notify customers so they can take actions to prevent further harm, damage and loss. But modern data breaches demonstrate that this has happened in reverse. The harm, damage and loss in these cases are primarily related to making the notifications.
First, there is the cost of investigation. Determining the names and contact information of all the people who might have had their information breached, the scope of the damages, and when and how the information was taken.
Then, the cost of actual notification. PR costs. Mailing costs. Not to mention the hit on the stock price and reputation from making the public mea culpa. And you may be inviting copycats or trolls.
Then the cost of remediation. Credit watch, credit monitoring, credit freeze, toll free numbers, ID Fraud prevention, etc.
Then the cost of replacement of personal information – new credit cards, new debit cards, etc.
And all of that BEFORE a single dime is stolen by hackers.
In fact, the Target settlement of $10 million may never actually be spent by anyone other than lawyers. That’s because, in order to get a piece of the settlement money, an individual will have to demonstrate that they personally suffered some tangible damages resulting specifically from the Target breach.
And for most people, the “damage” resulting from the breach was the fact that they had to get a new credit or debit card – which was issued by their bank, and they might have had to update automatic debit or withdrawal setting with the new account.
For some, they may have also noticed unusual credit activity on their credit reports, and had to contact a potential creditor. So how do you quantify that in terms of actual damages? What’s the cost of having to input a new credit card number into your Amazon account? A buck? Ten? And is it worth the time and effort to file a claim? Probably not.
Sure, there will be people who suffered not ID Fraud (someone stealing your credit card) but actual ID Theft. Some employee at a canning facility in Sacramento using your name and Social Security Number. Some diabetic in Fort Worth getting insulin paid for with an insurance policy in your name. Some felon in central booking in lower Manhattan giving the NYPD your name and address. Those people are truly victims of ID theft as a result of things like the Target, Anthem or Home Depot hack. And they should get compensated. The Target settlement caps these damages at $10,000 per person. That seems about right, but in some cases it might be on the low side. In a few.
But the 10 million is settlement for damages is a pittance compared with the estimated tens of millions Target has paid in remediation costs. And the $100 million estimated to establish new payment systems for Target, including chip and pin. The $10 million may never actually be paid out. Ever.
So the problem now is that NOTIFICATION costs in most cases far exceed the actual damages. Remember, the point of notification is to limit damages. Now it’s the other way around. Notification costs ARE the damages.
We got that backwards.
Even though companies can and should do a better job at protecting data, the breach notification protocols we have in place are used to blame entities that are, at the end of the day, victims of sophisticated (and sometimes less sophisticated) acts by thieves and criminals. Sure, they are fiduciaries of your information, but they are also crime victims. The law should treat them as such.
So maybe – and I’m just throwing this out there – maybe in deciding whether a breach notification should be required, we should consider the costs/benefits of notification. Not just to the breached entity, but to the consumer as well. Is there anything the consumer can reasonably do once notified? Is notification only going to upset the data subject without reason? Shouldn’t the breached entity focus its efforts on FIXING the problem, rather than exacerbating it? Spend the resources not on notification, but on prevention.
Of course, the cost of a potential breach is a great motivator to get entities to do what they should. Nothing motivates a CISO more than having a breach at a related company and going to the CEO and saying, “there but for the grace of God…” And if we get to keep breaches secret, we reduce the incentive to fix things.
But sometimes it’s good to be an ostrich. Sometimes.