Nuts & Bolts: Eye on Privacy
Right now, 38 states have consumer notification laws for data breaches. In addition, a handful of bills are making their way through Capitol Hill on the same topic.
Taken together, these laws and proposals have myriad combinations and permutations of what is considered a security incident, when to notify, how to notify and where to send notification. Generally, notifications can be made using a combination of online and offline methods, which may include e-mail, postal mail, Web site notice, call center and media.
For national marketers, the answer may be to encrypt data as a way to prevent exposure to the varying state and forthcoming national laws. Most states already have an encrypted data safe harbor, and the bills in Washington, D.C., also propose such a system. Basically, encryption obscures or scrambles data so that it can only be read with the use of a unique decoding “key.”
So, what happens when an organization suffers a security incident? Let’s say an unauthorized third party obtains access to 1 million unencrypted records being transferred to your organization. Let’s also say that you have to use the mail option in addition to other methods for consumer notification. At 31 cents per mail piece (presorted, First Class), the postage alone could add up to $310,000. Could your bottom line—or your brand image—handle this kind of expense?
Adding complexity to this already potentially costly exposure are differing definitions and combinations of data that legislators have seen fit to protect in 38 states. In two states, a mother’s maiden name is considered protected data when it is combined with first name (or initial), last name and Social Security number. In another state, physical addresses need to be protected.
And what about consumers? Should consumers in one state really be told they are being protected differently than consumers in another state? This is not exactly a recipe for customer satisfaction.