[BreachExchange] The folly of data-breach notification and how it can be fixed

[Audrey McNeil]

http://www.seattletimes.com/opinion/the-folly-of-data-
breach-notification-and-how-it-can-be-fixed/

The headlines announcing compromise of perhaps 1 billion user files at
Yahoo underscore the pervasive nature of data breaches in today’s online
environment. Yahoo is sending notifications to its account holders,
notifying them that their personal data have been hacked.

Like the breaches at Target, Premera and thousands of other firms, the
breach notifications basically tell the recipients:

• Their data have been hacked

• The company can’t confirm the identity of the perpetrator• Yahoo isn’t
sure what was taken or how it has been used

• Customers should avail themselves of credit-reporting services.

In light of these unhelpful breach notices, is it any wonder that consumers
respond with anxiety and frustration? As someone who has served as a
privacy officer in corporate and government roles, I’d like to propose that
it is well past time to overhaul our privacy-notice and breach-notification
regimes.

We need to give consumers more information up front about how their data
are being used and shared, obtain more meaningful consent from people when
they agree to give their data to a firm and increase transparency in the
event of a data breach. The tools to accomplish these tasks exist today,
and more privacy-conscious companies, such as Microsoft, are already
employing some of them.

Simply put, we need to give consumers more tools to protect their personal
information.”

Our current data-protection scheme in the U.S. is broken, making it more
difficult for our companies to do commerce abroad and to process the data
of citizens of other jurisdictions. While the upcoming Privacy Shield “safe
harbor” will facilitate commerce with citizens of the European Union, it
does not address the underlying deficiencies in our privacy system.

Simply put, we need to give consumers more tools to protect their personal
information. To use these tools, we need to give individuals transparency
in context: How long will my data be kept? Will they be shared and with
whom? Will I have access to my own data?

In 1995, I wrote one of the first consumer-facing privacy policies for an
internet company. The policy described our data-collection practices in one
page. Even in those early days, we noticed that few consumers clicked on
our privacy policy. Today, privacy policies can be 30 to 40 pages,
describing myriad scenarios of how a company might use the data provided by
its customers. A tiny fraction of consumers read them. In one
well-publicized case, a British game company told users in its terms of
service policy that they were consenting to “sell their immortal soul” to
the company. Thousands of online consumers immediately accepted the deal.

While such policies provide corporations with legal protection, no one
seriously argues anymore that they provide meaningful consent in a
practical form.

Making it as easy for consumers to consent to data-usage practices as it is
for them to originally sign up for an online service or account would go a
long way toward building trust and long-term relationships. People would
feel more secure about how a company used their data and, in turn, would
have less anxiety in the event of a data breach.

Moving to a more transparent data-protection regime would also benefit U.S.
firms doing business in Europe and other jurisdictions, which have already
adopted and implemented codes of “fair information practices.” In a world
where people have the expectation that their data move with them wherever
they travel or live, we need to adopt concepts of data protection that are
not tied to one nation.

While 47 states have individual data-breach-notification statutes,
harmonizing these laws at the currently low level of consumer protection
makes little sense. Rather, companies, nonprofits and other entities that
collect user information online should treat the people who use their
services with more respect: telling them what information they have about a
breach, how long they have known about it and their strategy for coping
with this instance and future breaches.

The United States benefited for many years from the absence of general
privacy or data-protection laws, relying on the Federal Trade Commission
and the Federal Communications Commission to bring enforcement actions in
salient cases. We now need to consider a general data-protection statute
along the lines of the European Union’s. We also need to encourage
experiments with “consent in context” and other means for companies to give
people who consume their products and services much more meaningful control
over their personal data.

American firms don’t need to wait for new laws to begin this process.
Investment in crafting new websites and user tools could be modest, but
companies would secure more loyal customers in more jurisdictions as the
internet continues to erase traditional borders.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161025/209b5491/attachment.html>