Institutions Face Bewildering Web of Breach Notification Statutes: GAO Report

Institutions Face Bewildering Web of Breach Notification Statutes: GAO Report
The latest disclosure of a data breach involving financial information points up the need for a comprehensive response program, including complying with federal and state notification laws. Fidelity National Information Services revealed in July that a former employee of its Certegy check processing unit stole consumer information and sold it to a data broker, who in turn sold it to several direct marketing organizations. The incident didn’t involve any intrusion into Certegy’s information systems.

The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be involved, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the thefts occurred. Among the steps the company is taking is notification of affected customers and governing state agencies.

As the number of reported breaches and the ensuing media coverage has escalated, state legislative and federal regulatory bodies have enacted a variety of requirements mandating responses to such events, including customer notification. As of late 2006, thirty-three states had adopted notification laws, and activity at the state level has continued in 2007, with six bills from 2006 either requiring further study or scheduled to be carried over for consideration in 2007.

According to a report issued in June by the U.S. Government Accountability Office, GAO Report 07-737 a number of challenges exist related to complying with the breach notification requirements in state laws or federal banking guidance, such as interpreting ambiguous statutory language, identifying and locating affected consumers, and developing effective notification letters. Some laws don’t adequately define encryption, which could refer to anything from simple password protection to complex coding. Similarly, financial institutions must determine whether misuse of breached information is “reasonably possible,” such as when little information exists about the location of the data, the intent of a criminal who stole data, or the effectiveness of security features designed to render data inaccessible.

Notification requirements don’t fully address who should bear the cost of and responsibility for notification, particularly in cases where a third party is responsible for the breach. Institutions that issue credit and debit cards compromised by a merchant that’s not the institution’s service provider are generally not required by the banking regulators’ guidance to notify their customers, but nevertheless in some cases, they feel obliged to do so. Breaches of credit card information by third parties can adversely affect an institution’s reputation and result in costs related to notifying customers and reissuing cards.

It can also be difficult to identify which consumers may have been affected by a breach and obtain their contact information. Obtaining accurate and current mailing addresses for affected parties also can be difficult and costly. This can be a particular problem for entities, such as merchants, that have breached credit card numbers but don’t themselves possess the mailing addresses associated with those numbers.

Since most breaches involve customers in many states, there’s also the challenge of complying with multiple state laws. Breach notification requirements vary among the states, including who must be notified, the level of risk that triggers a notice, the nature of the notification, and exceptions to the requirement.

Entities subject to breach notification requirements may incur certain costs, regardless of whether they actually suffer a breach. For example, entities may incur costs for developing and formalizing incident response plans. There are also the costs associated with actual notifications—potentially including printing, postage, legal, investigative, and public relations expenses. A 2006 Ponemon Institute survey of companies experiencing a data breach found that 31 companies that responded incurred an average of $1.4 million per breach, or $54 per record breached, for costs related to mailing notification letters, call center expenses, courtesy discounts or services, and legal fees.

Institutions whose customers’ account information is breached also may incur costs for remedial steps such as canceling existing accounts or replacing affected customers’ credit or debit cards—although such steps may not be required by the applicable breach notification requirements.

A 2005 study conducted by the Ponemon Institute found that 52 percent of survey respondents who received a notification letter said the letter was not easy to understand. In addition, consumers might be confused by other mail solicitations that may resemble notification letters. For example, the GAO reports cites a case where officials at one large national bank noting that marketing solicitations for credit monitoring services often are made to resemble breach notification letters, potentially desensitizing or confusing consumers when a true notification letter arrives.

About the Author

Andrew Miller

Andrew Miller

Contributing Writer, ISMG

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.