Breach notification challenging

Legislators are mulling a number of changes to the Rhode Island Breach Notification Act that may bring unexpected consequences. There are aspects of these proposed changes that will actually do a disservice to consumers – the very group laws like this are designed to protect.

Most concerns center on the 14-day notification time frame legislators are suggesting. Requiring organizations to quickly notify impacted parties after a breach is a good goal, but in reality, a too-short window of time will lead to numerous problems. Responding to a breach is a very complicated undertaking, the mechanics of which are likely lost on most politicians.

A business must first determine if a breach has actually occurred. Then it will need to identify who has been impacted, what type of information was exposed, which method was used to steal the information (if it wasn’t simply lost) and, based on the totality of the information uncovered as part of the investigation, what the likelihood of harm is expected to be.

Considering the low probability that a company will be able to nail down all of these details in time to meet the proposed notification schedule, consumers are likely to receive multiple notifications for any one breach. Businesses will be forced to provide initial notification quickly, and they will then be compelled to follow up with additional details as more information comes to light. This over-reporting provides little benefit to consumers. Instead, they’re apt to find themselves confused and upset.

- Advertisement -

Rushing the notification process also leads to the likelihood that communications won’t be made through the best channels. Sending notifications to the wrong physical or electronic address will only further bungle any breach response.

The new language also requires businesses to notify the credit bureaus after a breach, but it’s an outdated concept that often does nothing more than generate more work for the breached organization and leave consumers open to marketing contacts. If Social Security numbers or other specific data sets haven’t been exposed, then notifying the credit bureaus provides little benefit.

The revised regulations also call for notification only when names are exposed in conjunction with another type of data, such as SSNs or account numbers. But anyone who works in the fraud business knows that an SSN can be damaging in and of itself. The name is just a bonus. In today’s world, the risk of fraud exists even when only a single piece of data is released. Limiting notification is bad for consumers.

Mandating electronic notification, another proposal being considered, is also highly problematic. Consumers are taught to be wary, and they may think an email offering credit monitoring or other services is spam or a scam.

The proposed amendment’s impacts to the business community must also be considered in light of its impact on the public. By adding unnecessary costs there may be fewer resources available for the business to support consumers. Resources such as call centers to answer breach victims’ questions and credit monitoring for impacted individuals all cost money. The more a business must put towards meeting ridiculously stringent timing guidelines thought up by academics and politicians, the less it will have to spend on affected consumers like you and me and on preventing future incidents from occurring. •

No posts to display