Nashville, Tenn., residents got a nasty surprise in December when someone stole two laptops from the Davidson County Election Office that contained the names, addresses and Social Security numbers of about 337,000 voters. Because the information on the laptops was not protected against unauthorized access, the data breach placed those residents at possible risk of fraud, identity theft and other cybercrime. County officials notified the public about the breach in early January, attracting attention that helped lead to the laptops’ recovery. No reports of misuse of the data have surfaced so far, but county officials estimate it will cost the county $1 million to provide victims a year of identity theft protection.
The Davidson County theft and other incidents around the country underscore the need for state legislatures to pass comprehensive data breach notification laws. While sound operational procedures are essential to prevent data breaches that can lead to identity theft, laws that require appropriate public notification after breaches occur can help prevent them and minimize their harm by encouraging agencies to take proper security precautions.
Many state and local governments take the risks of data breaches seriously. Currently, 40 states have breach notification laws, and nearly half of the states are considering more than 60 different bills that would either create new protections or augment existing ones.
To help thwart the risks, any data breach notification law should contain the following elements:
Scope: The legislation should affect all entities that collect, use or sell significant numbers of records containing sensitive personal information, including health and educational institutions, charitable organizations, and third-party credit card processors.
Security: Legislation should require reasonable security measures to ensure the confidentiality and integrity of sensitive personal information. It also should include incentives for all entities to protect data based on existing standards, such as those set out under Gramm-Leach-Bliley, the Fair Credit Reporting Act or widely accepted international standards.
Threshold for notification: The legislation should require entities to notify residents as soon as practical when a data breach has occurred or after coordinating with the appropriate federal, state or local enforcement agency on an investigation. However, residents need to be notified only if someone could reasonably be expected to use the stolen information for identity theft. Over-notification will desensitize residents to situations of true risk.
Enforcement: Simply having data security policies in place is not sufficient. States should strengthen enforcement against entities that fail to use reasonable security measures to protect sensitive personal information. Conversely, organizations that implement those measures should have “safe harbor” exemptions from prosecution.
IT security software, network access control and e-discovery and records retrieval systems manage data as well as detect, limit and prevent unauthorized access to it. Combined with sound laws, technology can help ensure public confidence in government’s ability to protect sensitive information.
The author is a state government relations manager for Cupertino, Calif.-based Symantec Corp.