Reading this article in the Boston Globe made me think about how often people are actually notified when their personal data is compromised. When customers’ personal data was stolen from Sony (as mentioned in the article) I was only informed by reading a short notice on my PS3 once when I turned it on. That was it…that is all I got. Apparently they also sent out emails but I can’t recall getting one – more than likely it went into my SPAM folder with all the garbage I get trying to sell me more games. So I decided to do a little digging and it seems that the US senate is in the process of enacting a bill to make it a federal law requiring companies to inform consumers whenever there is a security breach that could have possibly compromised personal information. It seems that most all states already have such laws but since the compromised information may be held by a company based in a different state (ie most credit card companies are based in Delaware) a federal law would be more effective.
I also see that while many states have the laws in place…several of them don’t have any penalty for not abiding by it. Here’s what I mean- Let’s compare NY and Indiana…
Breach Notification Law: N.Y. Gen. Bus. Law § 899-aa S3760
Notification Requirement: Most expedient time possible, without unreasonable delay
Other Requirements: Encryption standard mandated
Civil or criminal penalty for failure to promptly disclose
Breach Notification Law: Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq., 2009 H.B. 1121
Notification Requirement: Without unreasonable delay
Summary: No civil or criminal penalty for failure to promptly disclose
The bolded portion above shows that New York will (theoretically) penalize a company for not notifying a person of potential compromised data but Indiana has no penalty what-so-ever. What good is a law that can’t be enforced? And what the heck is “without unreasonable delay?”
I was relieved (for a moment) to read that the penalty is often very severe and can cost a company dearly, but quickly my concern returned as, just a few sentences later, I read that if “the personal information on the stolen device was properly encrypted… notification is not always required.”
So there could be someone out there right now, with a stolen laptop containing all your personal data, with as long as they need to crack the encryption…and you would have no way of knowing because the company doesn’t have to tell you since they had “proper encryption” –whatever that is.
Here’s the article and website where I got the quotes:
http://www.credant.com/solutions/solutions-for-compliance/state-data-breach-laws.html(keep in mind when reading this the ‘data’ is provided by a company trying to sell something.)