Why we don't need a security breach notification law

Data Protection guru Chris Pounder has put forward an excellent argument that there is no legal requirement for a security breach notification law in the UK because we already have a requirement for this under the Data Protection Act (1998). I’d also argue that there is no need for such a law because there’s simply no point in it. Unless you’re a pilot.

Chris points out that under the Seventh Principle of the Data Protection Act, organisations that lose unencrypted personal data are obliged to notify the data subject under good security practices. As Chris says,

most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals are protected because they have simple and free access to the Information Commissioner, who has powers to investigate any complaint and fine. Compensation for aggrieved individuals could arise from any significant security lapse.

The US has had data breach notification laws in various states for some years now, with California’s SB1386 leading the way. The state-by-state approach reflects their philosophy towards data protection, with 11 states still having no breach notification laws. Advocates claim that such laws give consumers the ability to defend themselves if their data is compromised, and to make a more informed decision about which public authorities and private organisations to trust with their data. Critics point out that offending organisations have no motivation to come clean when the consequence can be a hefty FTC fine or class action lawsuit.

In an article on the US experience, Don Peppers and Martha Rogers highlight some of the problems with the US approach. Their recommendations include:

  • Define harm thresholds
  • Provide guidelines for appropriate remedies
  • Define who is liable for costs arising from a breach

They also point out two areas that have worked well:

  • Define what should be considered sensitive personally identifiable information in the context of a breach
  • Provide an exemption for encrypted data

Here in the UK we currently don’t have an explicit data breach notification law, and policy makers have called for one in light of the string of high-publicity data loss incidents late last year (and if you need me to describe what those were then where have you been for the past 10 months?) On the face of it, a breach notification law looks like an attractive proposition: let people know what data has been lost, and by whom, so that they can do something about it.

But what exactly can people do? Think about it. If a public authority has lost CDs with your personal data on them, and informs you of that fact, what do you do next? You can’t change your biometrics, race, age, or health records. Changing your name, address and even your gender just to escape the threat of identity fraud would seem a little extreme. If you’ve used the dates of birth of loved ones as PIN numbers for Internet banking then you probably deserve to get ripped off, but change them to random numbers anyway. There’s very little else you can do, except a) buy a shredder, b) sign up for CIFAS protective monitoring, and c) subscribe to a service such as those offered by Garlik or Experian. This approach is locking the door after the horse has gone, but at least it makes people feel good (and as Tom points out, the shredder makes a satisfying grinding noise).

So the next thing you can try is to sue the organisation concerned. But on what grounds? You’d have to prove material or emotional damage first, and then prove that the cause was the lost discs. And unless an identity fraudster has been attacking every subject in a lost dataset, in such a way that there could be no other possible source of the dataset, then how do you prove it came from those discs? An argument of “half the country’s suffered ID fraud so it must be HMRC’s fault” isn’t going to stack up in court. There’s really very little of value that an individual can do to seek redress.

The argument for sensitive personal information is slightly different. If, for example, a Primary Care Trust has lost a backup tape with medical records on it, then some of that data might be very sensitive indeed. But who is going to use it? No legitimate organisation would be permitted to act on that data, so there’s no fear that an employer might discover an employee is HIV positive or undergoing gender reassignment. A blackmailer could use that data, but we’re now into traceable criminal activity, so that seems like a slim chance too.

Data breach notification advocates argue that even if redress isn’t possible, this transparency is necessary for individuals to be able to trust the organisations they share data with. There’s some legitimacy in that argument, but is it reasonable to expect every breach to be notified to every individual? If that law were to come in, then we’d all receive swathes of junk mail notifying us of who lost what every day. As we witnessed at the end of last year, the public quickly become inured to the message and ignore it, and the media stop paying attention when the story gets tired.

Advocates then suggest that organisations should report breaches to the Information Commissioner or similar body so that statistics can be gathered. Once again, to what purpose? Knowing that there were more breaches this month than last month doesn’t seem particularly helpful. If the Commissioner has powers to punish the notifying organisation then there is little incentive to notify, since at that point the organisation itself hasn’t suffered any material loss – owning up to it is only going to make matter worse.

So if we’re going to have a breach disclosure law, we need to determine:

  • who notifies whom?
  • when do they notify? Do they have a chance to remedy the situation first? What is the minimum timescale for notification?
  • why do they notify? Are data subjects going to be able to seek redress?
  • what is the outcome of the notification? Do they get punished? Do data subjects receive assistance sorting things out?

There is, however, one very good reason for getting a breach notification law: the aviation industry has understood the value of near-miss reporting for years. Pilots are encouraged by the authorities and by their professional colleagues to report ‘near miss’ incidents immediately on landing for investigation. In only exceptional circumstances where there is obvious and accepted professional misconduct or incompetence is disciplinary action taken. The system works well: incidents are identified immediately and remedial action taken to mitigate or solve the problem not only for that crew, but for all crews. Levels of self-regulation and camaraderie are high and professionalism assured. Bad decisions or poor airmanship or control are identified and quickly resolved. This model could be transferred across to the information security industry, but I suspect that competing commercial interests would prevent a voluntary scheme ever getting off the ground, and independent schemes don’t seem to achieve that desired outcome of shared learning.

Despite the strength of the aviation example, I would argue that none of the points above give rise to a valid business case for establishing a notification and enforcement infrastructure that actually does any good for anyone concerned. Money would be much better spent on a properly-managed victim support scheme that can assist individuals when things have gone wrong for them. Any security professional will point out that there will always be breaches, so I believe that government intervention should focus on remediation, not prevention.

In conclusion: if you work for an organisation that has lost my data, there’s no need to tell me about it, so long as you promise to learn your lessons and not to do it again. However, if I suffer material loss as a result of that breach, then perhaps you could be good enough to help me sort the mess out?