New Data Breach Legislation and the Need for Risk Assessment Standards

by ID Experts

In the past two months, there have been two bills introduced in Washington, D.C., that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. The intent of these national bills is to provide fairness and consistency in handling of data breaches, and to overcome the inconsistencies created by the existing 46 different data breach notification laws in 46 states. This is a laudable goal, but the effect of these new bills will be truly beneficial only if they can establish clear guidance for assessing reputational, financial, and other risks from a data breach. Without that, they will be replacing one set of inconsistencies with another.

The Proposed Legislation: Risk Assessment and Required Notification

The “Data Security and Breach Notification Act of 2010,” introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010, requires organizations that handle and store private consumer information such as social security numbers to use “reasonable security policies and procedures” to protect the information and to “provide nationwide notice in the event of a security breach.” In addition to requiring appropriate security technologies and processes, the legislation would require companies to periodically assess their risk profile and take corrective actions in addressing security weaknesses. The Act would also require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”

Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010″ in July. This bill focuses on entities such as financial institutions, retailers, and federal agencies that handle vast amounts of personally identifiable information (PII) on consumers. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is asubstantial risk to the consumer of identity theft or account fraud, but it does not prescribe that free credit monitoring or other services to prevent or detect identity theft and fraud.

The Pitfalls of Open-ended Risk Assessment

Like the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provides for the security and privacy of protected health information (PHI), the proposed data security legislation is likely to be difficult and complex to comply with and to enforce. All three acts require consumer notification for data breaches that exceed a vaguely specified “harm threshold.” And the issue with establishing and regulating use of a harm threshold is in the details.

One of the challenges in doing an effective incident risk assessment is determining the impact of data other than a social security number. To understand the complexity of determining data risk, consider a healthcare breach situation. If your medical records were lost by a hospital, and someone could find out that you had your appendix out, that knowledge would carry little financial or reputational risk to you. If, on the other hand, the breached records showed that you were HIV-positive, the financial and reputational risk might be substantial. Determining the potential risk of other financial and personal data can be equally complex.

A second challenge lies in the conflicting interests of the organization doing the risk assessment. Where is the incentive for an affected organization to carry out a proper risk assessment and come to a fair and accurate conclusion, when a determination that the breach exceeds the risk threshold can cost them millions of dollars in data breach remediation costs, not to mention losses due to reputational damage and customer churn. How are organizations to objectively assess the risks of their own data breaches without clear guidance?

Finally, there is the challenge of figuring out how to correct the problem, once personal data is lost. Notification is expensive, but if a social security number is lost, the risks and the benefits of notification and remediation are clear. In cases where the risks are not clear, it is also less clear how to protect against them and whether the costs of attempting to do so are justified.

Defining Harm Thresholds for Risk Assessment

We believe there should be a harm threshold in pending breach legislation, including the recent proposed Data Security Act of 2010 and Data Security and Breach Notification Act of 2010, and a clearer harm threshold for the HITECH Act as well. Current legislation relies on organizations to determine risks in a regulatory vacuum, resulting in inconsistencies. What is missing today—causing confusion and increasing the length of incident risk assessments—is guidance on the potential reputational, financial and other risks associated with various breached data elements. Organizations do not typically have the internal expertise or experience to assess the risk of harm to individuals from identity theft and fraud,. And while some use outside experts or new tools on the market, objective guidelines would go a long way towards alleviated confusion and encouraging consistent handling of breach situations.

We at ID Experts propose that a consortium of experts from industry and academia, lawmakers, and legal and consumer privacy advocates define the problem and develop possible solutions and implementation approaches. The focus would be to define the financial impact of the unauthorized disclosure of specific data elements that make up PII and PHI. This would provide the missing variable in the risk equation, facilitate organizational investment in information security, protect consumers’ personal information, and give legislators and solution providers a metric to create more effective legislation and industry solutions.