Friday, March 16, 2007

A good argument for a federal law requiring disclosure of data breaches

An assistant professor at the University of Washington co-authored a study on data breaches (compromised personal and financial information), which reveals that the amount of compromised information out there could be a lot worse than anyone thought.

From Physorg.com:

If Phil Howard’s calculations prove true, by year’s end the 2 billionth personal record – some American’s social-security or credit-card number, academic grades or medical history – will become compromised, and it’s corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.
While the news media is full of stories about hackers, his survey revealed 60 percent of the breaches were due to "organizational mismanagement." The report is referring to lost (stolen) hardware, internal theft, administrative error, or accidentally exposing the information online.

According to the authors, gathering the information for this study wouldn't have been possible before state laws were passed requiring disclosure of data breaches.

Laws requiring this are only on the books in less than half of the states, nationwide.

Phys.org story, here.

Unfortunately, despite a lot of effort, no federal law has been passed, and the most current version before Congress threatens to make it easier not to report data breaches.

Here is a previous post about that subject:

Consumers Union Calls for Congress to Protect People's Personal Information

1 comment:

michael said...

Interesting, I wonder if the answer is a simple tort remedy: the duty to warn.

Doesn't a corporation have a common law duty to warn an individual that it may have innocently, negligently, or fraudulently allowed the individual's privacy to be breached?