Breach notification laws now!
The European Commission has proposed a directive to require providers of “electronic communications networks or services” to notify customers of personal data breaches.
If it goes forward it will be good news for consumers, though unfortunately the proposal would only apply to telcos and not all companies. Laws like this that embarrass and lower confidence in companies are a strong motivator to get them to better protect customer data.
The notification laws in many of the U.S. States has started to have a positive effect in reducing workers walking around with sensitive data on laptops and other accidents waiting to happen. I suspect all the publicity has also helped motivate other jurisdictions to introduce their own notification laws, and make it easier for such laws to be adopted.
All nations should have such laws. I downloaded the attrition data loss database and was dismayed to see see that of the 365 entries, only four were from Canada. There have been far more than that in this country, like the recent loss of data tapes in British Columbia. Unfortunately, Canadians only hear about breaches when the company involved is a multi-national subject to a U.S. notification law, or an auditor forces a government to come clean.
Of course, unauthorized disclosure of sensitive data has been going on for decades, even before computers. Breaches only seem like an epidemic now because of the recent laws. However with computer systems replacing human judgement in so many types of transactions, the damage that can be done using stolen personal data is now much greater than ever before.
Some will argue that it’s all excitement over nothing… that few of these events actually result in the data being used in “identify theft” and other fraud.
One problem with that thinking is it’s impossible to really measure resulting fraud… companies who’ve allowed a breach to occur aren’t required to report such things and have no reason to keep track of it. They’re also hardly likely to publicize such information even if they did track it. Also, misuse can occur months and years after the initial breach, possibly multiple times with the data trading hands many times over years.
Besides, when a breach concerns sensitive personal information like medical conditions, income or whether you’ve ever been on welfare, it’s the loss of privacy that matters.
Hopefully the EC proposal will be adopted and eventually expanded to cover more types of companies, and more places start compelling the disclosure of data breaches. Notification give those affected a chance to do things to protect themselves, and most importantly it motivates organizations to better protect their customer’s sensitive data.
Related posts: