Data Breach Notification

There have been many recent discussions regarding the effectiveness of a data breach notification which was first introduced by California in 2003 and later adopted by other States and European Union which implemented a breach notification law in the Directive on Privacy and Electronic Communications (E-Privacy Directive) in 2009, specific to personal data held by telecoms and Internet service providers.

Current US data breach notification laws are at the State levels and require companies to notify their customers in cases where personal information security has been breached and there is reasonable belief that stolen or lost information can lead to identity theft. President Obama signed an executive order in 2014 to introduce a national breach notification law.

Personal information does not have to be stolen to warrant a consumer notification of potential identity theft and fraud. In fact, any situation that causes a company management to believe that consumer private information might be at risk due to unauthorized disclosures warrants a data breach notification letter to all those who are affected by the breach. For example, a set of consumer data might be misplaced and never found however such information can later be found and abused by employees, outsiders or both. Also, the breach notification laws do not require an automatic consumer notification in case of loss or theft of consumer personal information without an assessment of the incident and conclusion that risks to consumers exist, although, a notification would be a wise business decision and the costs are well justified when a such factors as high number of records are affected, key personal information is affected, and high chance of publicity exist.

Not only a breach notification is the law in some places and must be complied with to avoid additional breach related costs such as fines and legal expenses in case of consumer lawsuits, it makes perfect business sense. Companies which deal with millions of consumer information records such as banking and insurance organizations are even more exposed to the identity theft risks because not only they’re more vulnerable to potential data loss or theft but the impact of such cases is huge in terms of public relations and damage control. As such and more importantly, a mishandled consumer data breach can cost the company its clients and future revenues. After all, who wants to do business with a company that doesn't care about the security of its client information? When a company loses its customers’ personal information, the consumers must deal with the unnecessary and unprovoked burden of calling the police, placing fraud alerts and monitoring their credit reports. Consumers don’t want additional tasks on their busy daily schedules which they did not provoke and do not bring any value to their lives. How many times have we heard of companies making the same mistakes over and over. Companies or their consultants continue to act negligent and lose personal information of their customers. Somehow, they don’t seem to learn from their mistakes or reported news of stolen or lost data at other companies. They keep losing unencrypted tapes or computers and removable devices containing millions of personal records which is a negligence acts because such incidents are preventable.

Now, there are those who question the effectiveness of a data breach notification process, however, from the consumers' perspective, they want to know when bad things happen to their information which could have dire consequences for them. It’s sad but the data breach notification laws are here because companies need to protect their customers. Consumer notifications are important because they allow consumers to place fraud alerts on their credit reports and monitor their accounts and consumer reports to detect potential fraud resulting from the incidents. When identity theft protection services are offered and paid for by companies which experienced the personal data breach incidents, consumers are more willing to forgive and give their insurance providers or banks a second chance and therefore the monitoring costs are also justified to retain customers after an incident occurs.

In conclusion, data breach notification is an effective solution following a security incident for allowing consumers to decide if fraud prevention and monitoring services are necessary for their situations. And from a company’s perspective, an incident notification, consumer education and paid monitoring services are good ways to show leadership, responsibility and respect in order to retain their customers especially when security incidents are due to negligence which could have been prevented, thus fully justify the high costs of repairing the mistakes, maintaining trust and damage control.

Read other data breach notification articles.