Call for worldwide breach notification laws

17 Sep 2007

High profile security breaches such as the theft of financial details of more than 46.7 million TK Maxx customers and the burgeoning level of personal data held by business has led to the chief security strategist of a major software firm calling for unified and stringent international laws requiring firms to reveal breaches as they occur.

Chief security strategist at Citrix Kurt Roemer said that governments, including Ireland, should establish laws requiring organisations to notify individuals in the event that their personal information is compromised in a data security breach.

In March of this year it emerged that details of 45.7 million customers of US retailer TJX (known here in Ireland as TK Maxx) were stolen. The data was accessed on TJX’s systems in the UK and in Massachusetts over a 16-month period and the data accessed covered credit and debit card transactions dating as far back as December 2002.

Such breaches have prompted governments around the world to consider implementing stringent breach notification laws.

He said that as well as protecting consumers, these laws will also be important to businesses. Irish companies, for example, operating in Ireland but who may have offices in other locations around the world could find complying with a patchwork of breach notification laws onerous.

Roemer, however, believes that these laws must be unified in order to reduce costs for businesses and that companies should support such a movement.

“I see there being a tremendous sense of urgency on this. Digital identities are being created and managed online every day leading to a tremendous amount of data on consumers sitting on servers in organisations in the retail, healthcare and financial world. In the past, this information was locked in filing cabinets but today they are on a server that if not properly secured could be accessible to anyone with a browser and who knows what they’re doing.”

In most cases breach notification laws are created on the basis of a major revelation such as the exposure of 145,000 customer records by hackers at Choicepoint, which cost the company US$6m. He pointed to the US where 39 states have breach notification laws and said the EU is actively looking at providing a new directive enforcing more member state participation.

He said that since January 2005 more than 166 million data records have been exposed through hackers attacking servers, executives losing laptops and malicious corporate insiders. “It’s not just hackers and criminals that are the problem, people in organisations can do stupid things.”

Roemer continued: “For PR reasons businesses that have experienced security breaches would have tried to keep them out of the press to avoid embarrassment. Unfortunately this policy puts consumers at risk.”

He said that once a security breach occurs, costs can continue to mount even after the event. “TJX had some 45.7 million customer records exposed and took a US$256m charge — this is 10 times the charge they originally estimated and they are nowhere near done.”

Roemer cited research firm Forrester which estimates that it can cost a business between US$90 and US$305 per lost record.

He pointed to the California State Bill AB779 which makes retailers responsible for the cost of the breach. “Previously, if you incurred a breach, merchant banks ate the cost of that breach. Now retailers have to pay the cost of lost records. It can take businesses weeks and even months to rebuild credit and create their automated payments system, and this could be just after a minor breach.”

The movement to support unified international breach notification laws may still be quite nascent but Roemer believes there is a groundswell of support for them. “A UK House of Lords committee is calling for it, the European Commission is recommending a directive for it. The US government is requiring all Federal agencies to have breach notification procedures and at overall government level they are requiring breach notification laws for all states.

“Unified breach notification laws are in everyone’s interest. Businesses shouldn’t fear disclosure. When you take a look at TJX it hasn’t materially affected the company’s continuing performance. But while it is continuing to grow its business, it is finding executives are spending a lot of time responding to the fallout of the breach,” Roemer concluded.

By John Kennedy