Legal requirements mandating notifications of employees or customers if their data is exposed is an understandably unpleasant corporate task. No matter why the data disappeared, the organization's image is clipped a bit with every notification it sends out.
This Computerworld story implies that Pfizer Inc. and Kingston Technology Co. had trouble facing the music and delayed letting those potentially impacted know what was going on -- until it was likely too late to do anything about it.
The story says Pfizer's lawyers informed Connecticut Attorney General Richard Blumenthal that a breach impacting about 17,000 employees occurred on April 18, but notifications weren't made until about six weeks later. The time gap in the Kingston situation was far greater. Earlier this month, the company began informing 27,000 online customers of a potential compromise in September 2005.
This critical posting at ITtoolbox was written by the Director of Information Security at HCR Manor Care, a health care organization. He says Pfizer reacted tardily and the company provided laptops to employees "that were just begging to be compromised." He provides four steps that may have prevented the problem.
An organization's reaction to a data breach is played out on at least three levels: What is the company required to do legally? What are its ethical responsibilities? How can it legitimately seek to limit damage to its image?
While it's obvious that people are entitled to know the state of their data, there invariably are shades of gray in these complex situations. The problem is that taking action on the second and third questions is difficult because answers to the first question -- precise legal responsibility -- vary greatly depending on where the breach occurs.
This Intelligent Enterprise piece says notification laws differ greatly by state. Indeed, there are no laws in 17 states. In 18 states, companies are dismissed from disclosure requirements if it is judged that the exposed data cannot be misused. It is common for companies not be held liable to disclosure laws if data is encrypted. (This alone is reason enough to invest in the technology.) A more systematic look at the laws is available from the law firm of Crowell & Moring.
Last month, the U.S. Government Accountability Office released a report on data breaches and identity theft. The introduction says strong notification laws lead to better security, but will cost organizations money. The GAO acknowledges that laws are difficult to follow because of the great variations between states and says that some experts back national standards. Finally, the report says people have a basic right to know when their data is compromised and that notification has side benefits, such as leading people to review their credit card statements and reports.