Rationale for data breach notification

Identity theft

51.4 In the US, concerns about identity theft and identity fraud have been the main issues driving the development of data breach notification laws.^[2] As discussed in Chapter 12, identity theft is a subset of the broad concept of ‘identity crime’ and is used to describe the illicit assumption of a pre-existing identity of a living or deceased person, or of an artificial legal entity such as a corporation.^[3] A stolen identity can be used to commit ‘identity fraud’, which is where a fabricated, manipulated or stolen identity is used to gain a benefit or avoid an obligation. An example of identity fraud is using a stolen identity to make fraudulent purchases or steal money from a victim (known as ‘account takeover’).^[4] Another example of identity fraud is where a criminal uses personal information about an identity theft victim to open new accounts in the name of the victim (sometimes called ‘true name fraud’).^[5]

51.5 With advances in technology, agencies and organisations are storing vast amounts of identifying information electronically.^[6] Any breach of the secure storage of this information can result in the release of personal, identifying information of an individual. That personal information may be sufficient to allow an unauthorised person to assume the identity of the victim and use that illicit identity to open, for example, new accounts in the victim’s name.

51.6 For these reasons, a security breach, resulting in unauthorised ‘leaks’ or acquisitions of information, is thought to contribute to the risk of identity theft, and the consequent risks of identity fraud.^[7] By requiring notice to persons who may be affected adversely by a breach, data breach notification laws ‘seek to provide such persons with a warning that their personal information has been compromised and an opportunity to take steps to protect themselves against the consequences of identity theft’.^[8] As one commentator explains:

Identity theft and identity fraud have emerged as serious crimes for consumers, citizens and business … Given the peculiar nature of this type of theft—namely, that it can be perpetrated by accessing information stored in places uncontrolled by the victim and in places of which the victim is often unaware—legislators have passed or are considering passing laws which require that the consumer be notified in the event of a data breach.^[9]

51.7 Data breach notification laws are, therefore, based on the recognition that ‘individuals need to know when their personal information has been put at risk in order to mitigate potential identity fraud damages’.^[10]

Lack of market incentives for notification

51.8 Some commentators suggest that the obligation to notify individuals of a data breach needs to be mandated legally because the market, by itself, may not provide sufficient incentives for organisations to take measures to notify individuals affected by the breach.^[11] In particular, an organisation may not have an incentive to notify individuals affected by a security breach when the cost of the notification exceeds the expected damage to the organisation.^[12]

51.9 The cost of notification does not just include the actual cost involved in notifying every individual affected by a security breach, although that, by itself, can be very expensive. Notifying customers of a security breach also gives rise to a real potential for market damage to the organisation, including reputational damage, lost customers and lost future profits. Notification also can expose an organisation to civil penalties from regulators and costly private litigation proceedings by individuals affected. If the organisation has a high profile or the security breach is large, notification also can result in negative publicity in the media. In these circumstances, an organisation may avoid reporting a security breach if it is not legally required to do so, as the cost to the organisation of notifying individuals significantly outweighs the costs caused by the actual breach. For these reasons, it has been observed that, in the absence of a legal requirement to notify, market forces may ‘undersupply notification’.^[13]

Incentives to secure data

51.10 Given the reputational damage that can flow from having to disclose a security breach, it has been suggested that the existence of a data breach notification law provides commercial incentives for organisations to take adequate steps in the first place to secure data.^[14] The purpose of the Delaware data breach notification legislation, for example, is to ‘help ensure that personal information about Delaware residents is protected by encouraging data brokers to provide reasonable security for personal information’.^[15] This is an important effect of data breach notification, particularly as organisations in the US may not be subject to data security obligations such as those in the Privacy Act.^[16]

Increasing number of data breaches

51.11 The rapid growth in data breach notification laws in the US in the past few years is said to be a direct response to a series of high profile, well-publicised data breaches.^[17] One of the most notorious data breaches was the disclosure by ChoicePoint, a large identification and credential verification organisation, of sensitive information it had collected on 145,000 individuals.

51.12 The Privacy Rights Clearinghouse maintains a Chronology of Data Breaches, which lists all breaches reported in the US that expose individuals to identity theft or breaches that qualify for disclosure under state laws. As at 28 April 2008, the total number of records containing sensitive personal information involved in security breaches was 226 million.^[18] It also is important to note that not all data breach incidents have involved electronic records. For example, in Florida, the medical records of 27 hospital patients were discovered being used as scrap paper in a Utah primary school classroom.^[19] Security breaches, therefore, are a concern in the US community.

51.13 There also have been high profile data breaches in the United Kingdom (UK). In 2007, the UK Government’s HM Revenue and Customs department, which is responsible for collecting tax revenue as well as paying tax credits and child benefits, lost two CDs containing confidential information—including the dates of birth, addresses, bank accounts and national insurance numbers—of over 25 million child benefit recipients. The entire child benefit database was sent by a junior official from a regional office to the National Audit Office in London via courier and without a registration or a tracking number.^[20] Following the breach, the UK Government made a commitment to amend the Data Protection Act 1998 (UK) to allow the Information Commissioner to carry out inspections of organisations that collect and use personal information and provide new sanctions for breaches of the data protection principles.^[21]