Data breach disclosure: Change needed?

Data breach disclosure is a legal necessity in the US and will soon be in the EU too, what with the EU General Data Protection Regulation (still awaiting legislative approval) stipulating that breaches must be reported within 72 hours of the initial incident.

This is – by and large – being actively encouraged in an era of escalating data breaches and post-NSA transparency. Simply hiding the bad news can no longer be tolerated and has too many business repercussions (legal fines, brand damage) anyway.

However, it was to SC's surprise when we spotted an older article this week in which Dawn-Marie Hutchinson, information security executive at US retailer Urban Outfitters, was very candid about the matter. She believes that companies shouldn't have to disclose data breaches – despite most US states adhering to the Data Security and Breach Notification Bill (although these laws do vary wildly on response times).

“There is this crazy hysteria” she said about cyber-attacks, when speaking to The Wall Street Journal (paywall), before adding. “Placing blame, it doesn't help anybody.”

Interestingly, Hutchinson added that her first call isn't to her boss, the Urban technology chief, in the event but rather to the general counsel “a shift the company made post-Target to cloak the conversations under attorney-client privilege.”

Either way, there seems to be some disputing the data breach notification process and even in the EU some have questioned the proposed 72-hour rule, with the risk of ‘false positives' and the question of ‘when the clock starts ticking'.

EU Safe Harbour under threat

Expect the furore over US data collection on non-US citizens to rumble on for a good while yet. In the same week that the European Commission backed Microsoft after a New York judge ruled that it had to hand over customer emails from a Dublin-based server to the US government, a civil liberties group claimed that 30 US data brokers and data management firms – including Adobe Systems, AOL, Salesforce.com and Neustar – are violating the EU Safe Harbour framework.

The Washington-based Center for Digital Democracy said in a complaint filed on Thursday that these companies have failed to honour these commitments as it is sharing personal information without user consent, engaging in data profiling (the firms have been accused of creating “detailed digital dossiers of EU residents') and collecting more information than described in the statements.

The group has called on US and EU officials to suspend the programme pending an FTC investigation, and has also criticised the FTC and US Department of Commerce - which helped develop the 14-year-old framework – for a lack of enforcement.

"The commercial surveillance of EU consumers by US companies, without consumer awareness or meaningful consent, contradicts the fundamental rights of EU citizens and European data protection law," the complaint said.