Thursday, January 12, 2006 - The Progress & Freedom Foundation Blog

Breach Notification - It Is Never Pretty

The start of the New Year brought consumers in Illinois, Louisiana and New Jersey new laws on data security. Specifically, each law details the steps that must be taken if there is a breach of a firm's management system for personal information about their consumers. I've lost count, but there are now about two dozen states with their own statutory provisions regarding breach notification.

Perhaps that is what prompted a Connecticut-based bank to announce yesterday that it lost records on 90,000 customers. This in itself is a problem. Surely some of the 90,000 consumers will be unhappy with information about them floating around somewhere between Bridgeport and the credit bureau it was destined for in Woodlyn, Pennsylvania. Other banking customers will be unhappy with the effects that will result from the major expense and hassle associated with the mishap. As the bank undertakes considerable expense to remediate the situation, profits (loss to shareholders) may fall and fees on services may rise.

What is striking is the measure to which this problem is not a digital or technological problem.

Why? The records were lost in transit - via UPS. A hacker gaining access to proprietary bank computers? Nope. A crew of decentralized anarchists hoping to bring down an industry leader? Nope. An evil genius employee who stole secret access codes from the bank's data management vendor? Nope. As far as we know, this is simply a case of a lost package.

Records are an important asset for a business dealing in financial assets. However, security is not a new problem for banks. From the stolid architectural designs of yesterday’s downtown "main branch" to the most advanced electronic scanners and cameras used today, banks have always cared about security. Less so as a matter of degree, other types of firms that also collect and manage personal information about consumers have a stake in protecting data as well. Let's hope that in the 2006 policy discussions about breach, data security and notification mandates don't overemphasize the digital aspect of storage and transport. Data security - as evidenced yesterday in Connecticut - is a much broader issue.

posted by @ 3:42 PM | Privacy