Personally identifiable information (PII) — any data that could potentially identify a specific individual; any information that can be used to distinguish one person from another and can be used to de-anonymize anonymous data can be considered PII. Breach notification laws typically focus on notifying the public when PII might have been exposed to unauthorized individuals, particularly in the context of financial or medical information
Breach — an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so; data breaches may involve PHI, PII, trade secrets or intellectual property.45
As more companies are successfully attacked in cyberspace, policy-makers are trying to develop procedures around informing customers, regulators, citizens, investors and other affected stakeholders when sensitive data is potentially compromised.
Two major axes define the contours of breach notification policy:
- First, when are companies mandated to report a cyberincident? Or, is notification a voluntary disclosure? Which stakeholders should be notified? For example, policy-makers could fashion a hierarchy of notification whereby it would be mandatory to notify law enforcement but voluntary to notify other stakeholders.
2. Second, what form of sanction is attached to the breach, itself?
- Should companies pay penalties? On what basis should those penalties be levied? Policy-makers may elect between three broad levels of care that might trigger penalties. The first level, and least stringent, would be to attach “no penalty”, so as to avoid punishing companies victim to an attack. The second would be to penalize companies if they did not maintain a level of care (e.g. consistent with industry standards). The third, and most demanding, would be a policy of strict liability. Companies would be penalized regardless of the duty of care they exercised.
3. Additionally, a few important additional questions must be asked in crafting policy:
- How long should companies have before they disclose a breach? To whom? For policy-makers, the trade-off they should be assessing to determine an appropriate amount of time before a company must report a breach is the following: would cyberincident damages be reduced to a greater extent by allowing a company time to manage an organized response or by allowing affected individuals to act earlier in a decentralized fashion? One additional consideration is that attempts to set national policy may be thwarted by international actions. To take a simplified example, a breach notification law with a 10-day window in one country will be effectively nullified by a breach notification law with a three-day window in another jurisdiction. Put differently, the lower common denominator will prevail. Additionally, within a country, specific enumerated time limits may create their own issues; cyberincidents differ and the extent to which a given stakeholder would benefit from knowledge of an incident by a given point in time will also materially vary.
- How should companies notify relevant stakeholders, especially given the increasing frequency of breaches? These questions become especially salient when trying to combine notification with advisory measures for consumers on how to mitigate the damages caused by a breach.
For each of these policy choices, significant risks and benefits affect the incentives to invest in security and the resultant costs of cybercrime:
- If companies are required to report a breach, then investment in security will increase to avoid either embarrassing publicity or regulatory penalties.
- If companies are required to notify stakeholders and the public at large, they may also undertake additional investment in security to avoid the customer run-off away from an insecure business. One important consideration, however, is that customers and consumers, in particular, are becoming increasingly inured to breach notifications (otherwise known as “data breach fatigue”).
- If companies are required to pay penalties, particularly if these penalties are meaningfully additive to the expected outcomes associated with negative market sentiment, companies will invest still more in security. A policy regime that then attached strict liability to a breach would result in enormous increased investment in security.
- In all of these cases, increasing sanctions will create the classic trade-offs associated with security investment, including diminished opportunities to invest in other parts of a business, or a more general increase in operating costs that might be passed to users.
Policy model: Notification requirements
Key values trade-offs created by notification policy choices
Connecting policy to values
Notification policy has important implications for a number of values principally animated by the extent to which such policy drives accountability:
- Increased notification requirements and breach-related penalties will increase accountability for organizations in the private sector. In the short term, increased notification requirements are likely to lead to greater costs for these organizations. Costs will increase as a consequence of regulatory penalties, consumer sentiment potentially shifting away from insecure companies, and the subsequent investment of those organizations in increased security controls. Over the longer run, the increased precautions taken by organizations should result in diminished costs associated with security incidents as their security improves. Furthermore, a competitive benefit may be realized by those organizations able to demonstrate more careful stewardship over sensitive data.
- The more notification policy becomes expansive and companies are required to report more incident-related data to various stakeholders,the more privacy is likely to be diminished (at least in the short term, until security improves such that user and corporate data is more likely to be safeguarded).