Would UK consumers benefit from US style data breach notification legislation? Richard Stone argues the case
The theft of CDs containing the personal information of 25m UK citizens has rightly prompted the question: ‘How could HMRC let this happen?’ The real question we should be asking is: ‘Who else has lost my data?’
Companies of all sizes, including local & national government, hold huge amounts of very private information on virtually every individual in the UK, yet amazingly, there are no laws to force them to either protect that information (such as by encrypting the data), or to tell you if your un-encrypted information gets lost or stolen. Ever since the first credit card number was put on the first laptop computer or CD, companies have been losing information and simply not publicising it.
There’s a sad fact of economic life here: It’s cheaper for a company to say nothing and do nothing if they lose Joe Public’s private information, rather than to do the right thing -- ensure that all the data is encrypted, or telling consumers if there’s a risk that their private data could have got into the wrong hands.
The situation in the US today is very different: Following on from some very high-profile data thefts, many States have now enacted so-called ‘Data Breach Notification’ legislation.
Put simply, this legislation says ‘If you lose customers’ Personal Identifiable Information (Social Security numbers, credit card numbers, driving licence numbers, etc) and it wasn’t encrypted, then you MUST notify everyone who’s likely to be affected. Many States have also included additional consumer protection, such as one year’s free credit monitoring services to protect against possible identity theft.
The US Federal Government – immune from State legislation -- has also mandated strict data security standards for itself. Following an incident similar to the HMRC in mid-2006, President Bush issued a mandate that all government departments must implement data encryption – no exceptions: (In that breach, a laptop containing health and financial information on 26.5M veterans was stolen from an employee’s home – the cost of just mailing the notification (letters, envelopes, postage) was about $11M)
“The UK government must follow the US lead. They must enact legislation to protect consumers against the horrors of data theft and the subsequent risk of identity theft.
Richard Stone, CREDANT Technologies
The net effect of US legislation has been to change the economic balance of data security: Now, it’s cheaper to implement a good data security solution (ie encrypt the data) than to bear the cost of a data breach notification. The figures speak for themselves: When items such as credit monitoring are added in, it’s estimated that the average cost of a breach notification following the loss of un-encrypted data is in the region of $90-$140 per customer record.
So, if the loss involved 100,000 customers, this will typically cost a company on average about $11.6M.
US legislation hasn’t stopped data theft, any more than burglaries have been stopped by property laws. What it has done is to provide insurance for affected consumers by forcing companies and the government to either protect consumers’ data, or come clean when they lose it so consumers can get the protection they deserve. It has also put the spotlight on companies who fail to protect consumers’, as these breaches are now tracked by a number of public web sites:
The UK government must follow the US’ lead. They must enact legislation to protect consumers against the horrors of data theft and the subsequent risk of identity theft. If nothing else comes out of the HMRC incident, then let this be a lesson learned the hard way.
Richard Stone, is vice president of marketing for CREDANT Technologies
No comments yet