Data Breach Notification

There have been many recent discussions regarding the effectiveness of a data breach notification while Europe is proposing to implement similar consumer notification measures which currently exist in the United States.

Current US data breach notification laws are at the State levels and require companies to notify their consumers in cases where personal information security has been breached and there is reasonable belief that stolen or lost information can lead to identity theft. Notice I said lost or stolen because personal information does not have to be just stolen to warrant a consumer notification of potential identity theft and fraud. In fact, any situation that causes a company management to believe that consumer private information might be at risk due to unauthorized disclosures warrants a data breach notification letter to all those who are affected by the breach. For example, a set of consumer data might be misplaced and never found however such information can later be found and abused by employees, outsiders or both. Also, the breach notification laws do not require an automatic consumer notification in case of loss or theft of consumer personal information without an assessment of the incident and conclusion that risks to consumers exist, although, a notification would be a wise business decision and the costs are well justified when a huge number of records are affected by the incident.

Not only a breach notification is the law in some places and must be complied with to avoid additional breach costs such as fines and legal expenses in case of consumer lawsuits, it makes perfect business sense. Companies which deal with millions of consumer information records such as within banking and insurance industries are even more exposed to the identity theft risks because not only they’re more vulnerable to potential data loss or theft but the impact of such cases is huge in terms of public relations, lost revenues and damage control costs. As such and more importantly, a mishandled consumer data breach can cost the company its clients and future revenues. Who wants to do business with a company that doesn’t care about the security of its client information? When a company loses its customers’ personal information, the consumers must deal with the unnecessary and unprovoked burden of calling the police, placing fraud alerts and monitoring their credit reports. Consumers don’t want additional tasks on their busy daily schedules which they did not provoke and do not bring any value to their lives. How many times have we heard of companies making the same mistakes over and over. Companies or their consultants continue to act negligent and lose personal information of their customers. Somehow, they don’t seem to learn from reported news of stolen or lost data at other companies. They keep losing unencrypted tapes, computers and removable devices containing millions of personal records. This to me is negligence because such incidents are a) well known and documented, and b) preventable.

Now, there are those who question the effectiveness of a data breach notification process but let me say this; as a consumer "I want to know" when bad things happen to my information which could have dire consequences for "me and in my life". It’s sad but the data breach notification laws are here because companies didn’t learn from reported news, did not care about protecting consumer information or what happens to consumers after the breach incidents. In addition, consumer notifications are important because they allow consumers to place fraud alerts on their credit reports and monitor their identities to detect potential fraud resulting from the incidents. When monitoring services are paid for by the companies or their service providers that caused the incidents in the first place, consumers become even more forgiving and are willing to give their insurance providers or banks a second chance and therefore the monitoring costs are also justified to retain customers after an incident occurs.

In conclusion, data breach notification is an effective solution following a security incident for allowing consumers to decide if fraud prevention and monitoring services are necessary for their situations. And from a company’s perspective, an incident notification, consumer education and paid monitoring services are good ways to show leadership, responsibility and respect in order to retain their customers especially when security incidents are due to negligence which could have been prevented, thus fully justify the high costs of repairing the mistakes, maintaining trust and damage control. To learn more, read about the fraud notification process.

Consumers should learn what a data breach notification means to them.