Data Breach Message Not Always Reaching Consumers

By Rita Zeidner May 23, 2008
LIKE SAVE PRINT
Reuse Permissions

Most U.S. companies are required to tell their employees and other stakeholders when their personal information has been compromised.

But many notices are too vague to be useful to the victims, privacy experts say.

At least 43 states, plus the District of Columbia and Puerto Rico, have enacted legislation requiring notification of security breaches involving personal information, according to the National Conference of State Legislatures. But all too often, companies leave out critical details of the breach, according to Beth Givens, director of the Privacy Rights Clearinghouse, a not-for-profit consumer-advocacy group in San Diego that compiles information on data breaches.

It's not just consumers and customers who are victimized by data breaches. In many instances it's data from a company's employee data base that is compromised. A listing of data breaches posted on the PRC web site and confirmed independently by SHRM Online shows several major breaches of employee data during the first three weeks of May 2008. Among them:

  • The theft of a laptop containing the personnel information, including names, dates of birth and Social Security numbers of employees of Harrisonburg (Penn.) City Schools. The computer was stolen from an insurance vendor’s car.
  • A breach in an Oklahoma State University computer server exposed names, addresses and Social Security numbers of about 70,000 students, staff and faculty who bought parking and transit services permits in the past six years.
  • About 13,000 employees of the pharmaceutical firm Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen. According to the Associated Press, Pfizer told employees in an e-mail that the company is not required to notify employees about data breaches involving information unlikely to lead to identity theft, but it brought the situation to light "as a matter of transparency and respect for colleagues."

Givens, in a telephone interview with SHRM Online, said she frequently receives complaints from workers frustrated by their employer's response to a personnel file data breach. Without referencing specific incidents, she said some victims are put off by what they perceive to be a lack of contrition on the part of their employer. But some feel as though they are left in the dark and not provided the assistance they believe they need to guard their credit and prevent the theft of their identity.

Ideally, she said, an employer will provide the following information and services to workers believed to be affected by such a breach:

  • Full details of the incident, including when the breach occurred and how.
  • A description of the information that was exposed.
  • A description of steps the employer is taking to ensure the incident doesn't happen again.
  • Information on how to order a credit report.
  • A live person to help explain to affected workers what has happened and what they need to do next.

A recent survey by security vendors confirms the inadequacy of many organizations' data breach notices. In a survey released in April 2008, by the Michigan-based Ponemon Institute, 63 percent of respondents said notification letters they received offered no direction on the steps consumers should take to protect their personal information. About half of respondents rated the timeliness, clarity and quality of the notification as either fair or poor. Two percent of respondents that had been notified of a data breach experienced identity theft as a result of the breach, while 64 percent were unsure if they were a victim of identity theft.

State Data Breach Notification Laws

Arizona

Ariz. Rev. Stat. § 44-7501 (2007 S.B. 1042, Chapter 23)

Arkansas

Ark. Code § 4-110-101 et seq.

California

Cal. Civ. Code § 1798.82

Colorado

Colo. Rev. Stat. § 6-1-716

Connecticut

Conn. Gen Stat. 36a-701(b)

Delaware

Del. Code tit. 6, § 12B-101 et seq.

Florida

Fla. Stat. § 817.5681

Georgia

Ga. Code §§ 10-1-910, -911

Hawaii

Haw. Rev. Stat. § 487N-2

Idaho

Idaho Code §§ 28-51-104 to 28-51-107

Illinois

815 ILCS 530/1 et seq.

Indiana

Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq.

Iowa

2008 S.F. 2308

Kansas

Kan. Stat. 50-7a01, 50-7a02

Louisiana

La. Rev. Stat. § 51:3071 et seq.

Maine

Me. Rev. Stat. tit. 10 §§ 1347 et seq.

Maryland

Md. Code, Com. Law § 14-3501 et seq.

Massachusetts

2007 H.B. 4144, Chapter 82

Michigan

Mich. Comp. Laws § 445.61 et seq.

Minnesota

Minn. Stat. §§ 325E.61, 325E.64

Montana

Mont. Code § 30-14-1701 et seq.

Nebraska

Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807

Nevada

Nev. Rev. Stat. 603A.010 et seq.

New Hampshire

N.H. Rev. Stat. §§ 359-C:19 et seq.

New Jersey

N.J. Stat. 56:8-163

New York

N.Y. Gen. Bus. Law § 899-aa

North Carolina

N.C. Gen. Stat § 75-65

North Dakota

N.D. Cent. Code § 51-30-01 et seq.

Ohio

Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192

Oklahoma

Okla. Stat. § 74-3113.1

Oregon

2007 S.B. 583, Chapter 759

Pennsylvania

73 Pa. Stat. § 2303 (link not available) (2005 S.B. 712, Act 94)

Rhode Island

R.I. Gen. Laws § 11-49.2-1 et seq.

South Carolina

2008 S.B. 453, Act 190

Tennessee

Tenn. Code § 47-18-2107

Texas

Tex. Bus. & Com. Code § 48.001 et seq.

Utah

Utah Code §§ 13-44-101, -102, -201, -202, -310

Vermont

Vt. Stat. tit. 9 § 2430 et seq.

Virginia

2008 S.B. 307, Chapter 566

Washington

Wash. Rev. Code § 19.255.010

West Virginia

2008 S.B. 340, Chapter 37

Wisconsin

Wis. Stat. § 895.507

Wyoming

Wyo. Stat. § 40-12-501 to -501

District of Columbia

D.C. Code § 28- 3851 et seq.

Puerto Rico

2005 H.B. 1184, Law 111

Source: National Conference of State Legislatures.

Rita Zeidner is senior writer for HR Magazine.

LIKE SAVE PRINT
Reuse Permissions

SEMINARS

HR Education in a City Near You

Find a Seminar

Job Finder

Find an HR Job Near You

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect