Disclosing data breaches: There oughta be a law
Back in September 2011, an unusual purchase was made at a Santa Cruz, Calif., thrift store.
An unidentified "member of the public" bought an external hard drive that contained more than 30,000 Social Security numbers belonging to Kaiser Foundation Health Plan employees and former workers, a January lawsuit filed by the California Attorney General's office claims.
While that was bad enough, what came next compounded the problem, the complaint alleges. While Kaiser managed to reclaim the hard drive in December and performed a forensic investigation, the company waited three months to alert the victims, the lawsuit claims.
In its lawsuit, California alleges Kaiser violated a state law that requires companies to disclose security breaches "in the most expedient time possible and without unreasonable delay."
While Kaiser reached a settlement last month, the case highlights a bigger issue about data breach disclosures: they're covered by a patchwork set of laws that vary from state to state. Given that some of those laws include vague guidelines, such as California's "most expedient time" wording, companies have leeway in when to alert customers. Consumers, on the other hand, can feel gobsmacked when they learn a company waited to flag them about a theft of their personal data.
So, what exactly does California's law mean?
"Many of the states without a specific time frame came to regard 45 days as what is reasonable and expected," notes Margo Tank, a partner at BuckleySandler LLP.
But 45 days might not be so "reasonable," given that data breaches are sometimes reported in the press, Tank adds.
Take Target's recent data breach, which affected as many as 110 million consumers. Some shoppers were angered by the timeline of the breach's disclosure, given that security blogger Brian Krebs broke the news about the crime before the retailer alerted its customers.
But companies sometimes want to hold off on disclosing a breach until they've worked with law enforcement and have clear information to provide to customers.
"If I disclose too early, I may give out the wrong information," notes John Pironti, risk advisor with the nonprofit information systems group ISACA. "There's an expectation of total disclosure, but often you don't know all the facts. What you first put out there will be the first thing everyone remembers."
In Target's case, the company had a four-day gap between when it confirmed the breach and when it alerted customers.
"As soon as we confirmed the breach on December 15, we immediately alerted the relevant financial institutions and began working with the appropriate law enforcement to ensure we were complying with all state and federal requirements," a Target spokeswoman emailed CBS MoneyWatch. "We then moved swiftly to inform our guests, educate them and help them understand steps they could take on December 19."
The grab-bag of state disclosure laws is prompting a call for a national standard. U.S. Attorney General Eric Holder last month urged Congress to create a countrywide standard. Currently, 46 states have laws about breach notification. Alabama, Kentucky, New Mexico and South Dakota lack guidelines on disclosure.
It's not a small problem, considering that more than 600 million personal records have been stolen in 3,818 breaches since 2005, according to Bloomberg Law. As ISACA's Pironti notes, criminals are becoming increasingly sophisticated about attacking corporate information systems. That means data breaches aren't likely to stop anytime soon, and the victims may be the last ones to find out about them.