Data Breach Message Not Always Reaching Consumers

By Rita Zeidner May 23, 2008

Most U.S. companies are required to tell their employees and other stakeholders when their personal information has been compromised.

But many notices are too vague to be useful to the victims, privacy experts say.

At least 43 states, plus the District of Columbia and Puerto Rico, have enacted legislation requiring notification of security breaches involving personal information, according to the National Conference of State Legislatures. But all too often, companies leave out critical details of the breach, according to Beth Givens, director of the Privacy Rights Clearinghouse, a not-for-profit consumer-advocacy group in San Diego that compiles information on data breaches.

It's not just consumers and customers who are victimized by data breaches. In many instances it's data from a company's employee data base that is compromised. A listing of data breaches posted on the PRC web site and confirmed independently by SHRM Online shows several major breaches of employee data during the first three weeks of May 2008. Among them:

  • The theft of a laptop containing the personnel information, including names, dates of birth and Social Security numbers of employees of Harrisonburg (Penn.) City Schools. The computer was stolen from an insurance vendor’s car.
  • A breach in an Oklahoma State University computer server exposed names, addresses and Social Security numbers of about 70,000 students, staff and faculty who bought parking and transit services permits in the past six years.
  • About 13,000 employees of the pharmaceutical firm Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen. According to the Associated Press, Pfizer told employees in an e-mail that the company is not required to notify employees about data breaches involving information unlikely to lead to identity theft, but it brought the situation to light "as a matter of transparency and respect for colleagues."

Givens, in a telephone interview with SHRM Online, said she frequently receives complaints from workers frustrated by their employer's response to a personnel file data breach. Without referencing specific incidents, she said some victims are put off by what they perceive to be a lack of contrition on the part of their employer. But some feel as though they are left in the dark and not provided the assistance they believe they need to guard their credit and prevent the theft of their identity.

Ideally, she said, an employer will provide the following information and services to workers believed to be affected by such a breach:

  • Full details of the incident, including when the breach occurred and how.
  • A description of the information that was exposed.
  • A description of steps the employer is taking to ensure the incident doesn't happen again.
  • Information on how to order a credit report.
  • A live person to help explain to affected workers what has happened and what they need to do next.

A recent survey by security vendors confirms the inadequacy of many organizations' data breach notices. In a survey released in April 2008, by the Michigan-based Ponemon Institute, 63 percent of respondents said notification letters they received offered no direction on the steps consumers should take to protect their personal information. About half of respondents rated the timeliness, clarity and quality of the notification as either fair or poor. Two percent of respondents that had been notified of a data breach experienced identity theft as a result of the breach, while 64 percent were unsure if they were a victim of identity theft.

State Data Breach Notification Laws


Ariz. Rev. Stat. § 44-7501 (2007 S.B. 1042, Chapter 23)


Ark. Code § 4-110-101 et seq.


Cal. Civ. Code § 1798.82


Colo. Rev. Stat. § 6-1-716


Conn. Gen Stat. 36a-701(b)


Del. Code tit. 6, § 12B-101 et seq.


Fla. Stat. § 817.5681


Ga. Code §§ 10-1-910, -911


Haw. Rev. Stat. § 487N-2


Idaho Code §§ 28-51-104 to 28-51-107


815 ILCS 530/1 et seq.


Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq.


2008 S.F. 2308


Kan. Stat. 50-7a01, 50-7a02


La. Rev. Stat. § 51:3071 et seq.


Me. Rev. Stat. tit. 10 §§ 1347 et seq.


Md. Code, Com. Law § 14-3501 et seq.


2007 H.B. 4144, Chapter 82


Mich. Comp. Laws § 445.61 et seq.


Minn. Stat. §§ 325E.61, 325E.64


Mont. Code § 30-14-1701 et seq.


Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807


Nev. Rev. Stat. 603A.010 et seq.

New Hampshire

N.H. Rev. Stat. §§ 359-C:19 et seq.

New Jersey

N.J. Stat. 56:8-163

New York

N.Y. Gen. Bus. Law § 899-aa

North Carolina

N.C. Gen. Stat § 75-65

North Dakota

N.D. Cent. Code § 51-30-01 et seq.


Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192


Okla. Stat. § 74-3113.1


2007 S.B. 583, Chapter 759


73 Pa. Stat. § 2303 (link not available) (2005 S.B. 712, Act 94)

Rhode Island

R.I. Gen. Laws § 11-49.2-1 et seq.

South Carolina

2008 S.B. 453, Act 190


Tenn. Code § 47-18-2107


Tex. Bus. & Com. Code § 48.001 et seq.


Utah Code §§ 13-44-101, -102, -201, -202, -310


Vt. Stat. tit. 9 § 2430 et seq.


2008 S.B. 307, Chapter 566


Wash. Rev. Code § 19.255.010

West Virginia

2008 S.B. 340, Chapter 37


Wis. Stat. § 895.507


Wyo. Stat. § 40-12-501 to -501

District of Columbia

D.C. Code § 28- 3851 et seq.

Puerto Rico

2005 H.B. 1184, Law 111

Source: National Conference of State Legislatures.

Rita Zeidner is senior writer for HR Magazine.


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect