@Info.Policy: Will California's security notice law help or hurt?
- By Robert Gellman
- Sep 24, 2003
What happens when a security breach results in unauthorized disclosure of personal information? Should the persons concerned get a notice about the breach?
These are surprisingly hard questions to answer well. A California law that took effect July 1 is the first of its kind to require giving notice, and its limitations point to some difficulties.
If an organization doing business in California suffers a breach of computer data, it must send written or electronic notice to the data subjects. If the breach involves zillions of records or would cost a fortune, the law has a substitute provision for using e-mail, Web sites and press releases to notify the public.
Let's go over some of the problems. First, the law applies only to computerized data'not, for example, to a hospital break-in that exposes paper records.
Second, the law applies only when names and unencrypted identification numbers are compromised. If someone accesses your e-mail account, notice is not ordinarily required. Did you think that reducing the use of Social Security numbers as IDs would guard privacy better? Well, not in this case.
Third, the purpose of the California law is to help stop identity theft.
What steps can the recipient of a notice take to prevent being victimized? The answer is, not many.
You can run to the credit bureau for a copy of your credit report, but it's unlikely to reveal much.
You can pay for an expensive credit watch service, but that would help only after the fact. Once someone opens an account in your name, it is too late.
Buy ID theft insurance? I wouldn't spend the money.
In California but not elsewhere, you can freeze the granting of credit in your name. A freeze has many unattractive repercussions, however. Even pro-privacy groups caution against its casual use.
So will it really help if hundreds of thousands of people receive notice, then panic, descend on credit bureaus and buy services that won't solve a problem that might not be acute? I have my doubts.
We can agree that we need better computer security. The cost of complying with a notice law offers an incentive for improvement, but it ranks low against existing reasons for good security.
We can also agree about the need for better protections against identity theft. But most notice recipients are not likely to become victims of identity theft. Notification in fact might victimize them by encouraging pointless actions that serve mostly to enrich credit bureaus.
Should the feds pass a similar law? Sen. Dianne Feinstein (D-Calif.) has sponsored S 1350 to do just that. I wouldn't want to see any federal action until we know what happens with the California law. Does notice help more than it hurts? Maybe we can figure out which breaches warrant a warning and which don't.
There's a good idea somewhere in California's notice law. Let's not go national with breach notices until we figure out what it is.Robert Gellman is a Washington privacy and information policy consultant. E-mail him at firstname.lastname@example.org.