It had already been law in California since 2002 for service providers experiencing a database breach to notify their customers when they suspect the security of their personal data may have been compromised. But for the last few years, there was a strange little controversy over just how businesses make those notifications. Isn't a post on the FAQ of the company Web site enough?
Up until last year, the official stance of then-Governor Arnold Schwarzenegger was that notifying customers directly "would place additional unnecessary mandates on businesses without a corresponding consumer benefit." That stance changed when Gov. Jerry Brown signed the bill that Schwarzenegger had vetoed.
Most importantly, the new law (PDF available here, courtesy Information Law Group) states that notification must be direct. Yes, it can be electronic, but it must provide a way for the notified party to follow up with questions, and give that person a point of contact who represents the company. The company contact must be accessible through toll-free telephone, not just e-mail.
The problem with data breach notifications themselves, especially the kind that don't follow any particular format at all (a fact that may have escaped then-Gov. Schwarzenegger's notice) concerns phishing. It's no surprise that phishing attacks are designed either to entice or to alarm the victim, and being told there's been a data breach at the credit card company can certain cause alarm. If the recipient's only recourse is to click the hyperlink for more information, that could lead her directly into the trap. Thus the provision in the California law for the toll-free telephone line; typically, telephones aren't involved in everyday phishing schemes.
As a blog post on the Web site of credit reporting service Experian puts it, "With numerous different breaches affecting so many people as of late, millions of consumers are receiving e-mails from trusted brands noting that customer e-mails (and perhaps other information) have been compromised, so consumers should be wary of future e-mails that may appear to be sent from them... like the one they're reading now... This begs the question of whether customers are starting to tune out to the onslaught of breach alerts flooding their e-mail in-boxes."
In fairness, though, Schwarzenegger's objection to the law may not have centered solely around the need to install a phone line. When a company must plan to make direct notification in response to an event that may impact its legal expenses, that fact alone changes the risk assessment outlook for their insurance. Put another way, if customers didn't really have to know their data integrity was compromised, the risk of being sued would be lower. Now that they must know, their rates could - and probably will - go up.
As attorney Mark McCreary wrote for CIO Insight last Thursday, "CIOs now have the unenviable task of discussing a broad range of data losses with legal, marketing and risk assessment professionals. The loss of an unsecured smartphone, even one remotely wiped 48 hours later, may have not previously raised any eyebrows if it contained no 'personal information.' Now, it is arguable that a new assessment must be undertaken to see what information was on the smartphone that could lead to an association between the applicable individual and a third party. This same assessment applies to lost laptops, thumb drives and paper files. Likewise, a known network intrusion may not have raised too many concerns if the 'personal information' was encrypted, but going forward there will need to be an analysis of what types of information may have been accessed."
The author of the notification bill (since 2008), State Sen. Joe Simitian (Dist. 11), issued a statement last Wednesday: "No one likes to get the news that personal information about them has been stolen. But when it happens, people deserve to get the information they need to decide what to do next."