Here there's no clear legal answer. Generally, it is agreed that it's the original company's responsibility. But, there's no federal law, so security professionals have to rely on a patchwork of state laws that leave it unclear exactly who is responsible for notifying consumers of data breaches – an enormous headache.
For example, when thousands of names and email addresses were compromised in the breach of online marketing giant Epsilon every one of its clients – major companies like Best Buy and Capital One – stepped in and sent out notifications. Maddeningly, with different laws in different states, none of the companies really knew their legal responsibilities, so they just blanketed their email lists with notifications.
Everyone agrees, the goal of the various data breach notification laws, beside their attempt to entice companies to prioritize security, is to make consumers more cautious about the information they disclose. Unfortunately, the laws and their murky requirements have resulted in so many notifications that they are having the exact opposite effect on consumers, while saddling IT professionals with extremely time-consuming responsibilities.
Real-world security is a function of marginal-added protection: Is the cost of this security measure justified in reducing the chance of a breach? While the cost of sending one notification out to thousands of customers isn't great, it's the repeated, sending of notifications that is costly and ineffective, adding no more security for consumers and making it no less likely they'll change their habits.
Admittedly, the emergence of a business model where companies offer a free-service in exchange for personal data may spur a federal breach disclosure law, or even more expansive legislation. Consumers are already allowing these companies to peddle their personal data to those third parties. One significant overstep in personal data privacy, and that may bring about much stricter regulations than those that are currently on the books.
Worsening the problem is that consumers tend to trust the larger, more well-known companies. And it's true, these organizations have more rigorous processes for vetting third parties. But, invariably, it's just a matter of time until they sell customer data to a wolf in sheep's clothing.
Furthermore, a generation of internet users has grown up sharing much more personal information than their wary elders would. If data disclosure laws are burdensome now, they'll overrun IT departments when the Facebook generation enters the workforce.
Regulation isn't always the answer. Yet, here, the fragmented approach taken by the states has made notifications meaningless, expensive and time-consuming. Current data breach laws simply don't provide users with understandable guidelines for how to adjust their behaviors. Simple, actionable rules would ensure data breaches get the gravitas they deserve.
Ultimately, the standard of care for data is evolving, and measures once considered high security are now easily bypassable. And while social norms concerning online privacy and security are dynamic, a practical, actionable vigilance can be engrained in consumers and businesses alike with the appropriate approach to data breach notifications.
Jeff Schmidt is the founder and chief executive officer of JAS Global Advisors, and a two-decade veteran of the information security industry.