Institutions Face Bewildering Web of Breach Notification Statutes: GAO Report
The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be involved, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the thefts occurred. Among the steps the company is taking is notification of affected customers and governing state agencies.
As the number of reported breaches and the ensuing media coverage has escalated, state legislative and federal regulatory bodies have enacted a variety of requirements mandating responses to such events, including customer notification. As of late 2006, thirty-three states had adopted notification laws, and activity at the state level has continued in 2007, with six bills from 2006 either requiring further study or scheduled to be carried over for consideration in 2007.
According to a report issued in June by the U.S. Government Accountability Office, GAO Report 07-737 a number of challenges exist related to complying with the breach notification requirements in state laws or federal banking guidance, such as interpreting ambiguous statutory language, identifying and locating affected consumers, and developing effective notification letters. Some laws donâ€™t adequately define encryption, which could refer to anything from simple password protection to complex coding. Similarly, financial institutions must determine whether misuse of breached information is â€œreasonably possible,â€ such as when little information exists about the location of the data, the intent of a criminal who stole data, or the effectiveness of security features designed to render data inaccessible.
Notification requirements donâ€™t fully address who should bear the cost of and responsibility for notification, particularly in cases where a third party is responsible for the breach. Institutions that issue credit and debit cards compromised by a merchant thatâ€™s not the institutionâ€™s service provider are generally not required by the banking regulatorsâ€™ guidance to notify their customers, but nevertheless in some cases, they feel obliged to do so. Breaches of credit card information by third parties can adversely affect an institutionâ€™s reputation and result in costs related to notifying customers and reissuing cards.
It can also be difficult to identify which consumers may have been affected by a breach and obtain their contact information. Obtaining accurate and current mailing addresses for affected parties also can be difficult and costly. This can be a particular problem for entities, such as merchants, that have breached credit card numbers but donâ€™t themselves possess the mailing addresses associated with those numbers.
Since most breaches involve customers in many states, thereâ€™s also the challenge of complying with multiple state laws. Breach notification requirements vary among the states, including who must be notified, the level of risk that triggers a notice, the nature of the notification, and exceptions to the requirement.
Entities subject to breach notification requirements may incur certain costs, regardless of whether they actually suffer a breach. For example, entities may incur costs for developing and formalizing incident response plans. There are also the costs associated with actual notificationsâ€”potentially including printing, postage, legal, investigative, and public relations expenses. A 2006 Ponemon Institute survey of companies experiencing a data breach found that 31 companies that responded incurred an average of $1.4 million per breach, or $54 per record breached, for costs related to mailing notification letters, call center expenses, courtesy discounts or services, and legal fees.
Institutions whose customersâ€™ account information is breached also may incur costs for remedial steps such as canceling existing accounts or replacing affected customersâ€™ credit or debit cardsâ€”although such steps may not be required by the applicable breach notification requirements.
A 2005 study conducted by the Ponemon Institute found that 52 percent of survey respondents who received a notification letter said the letter was not easy to understand. In addition, consumers might be confused by other mail solicitations that may resemble notification letters. For example, the GAO reports cites a case where officials at one large national bank noting that marketing solicitations for credit monitoring services often are made to resemble breach notification letters, potentially desensitizing or confusing consumers when a true notification letter arrives.