IP, Technology & Data

Interesting news from California that Governor Arnold Schwarzenegger has vetoed a proposed amendment to the State’s data security breach notification requirements.

California introduced a requirement to inform its residents if the security of any unencrypted personal information about them had been compromised as far back as 2003. For those who are interested, the obligations can be found in California’s Civil Code – see section 1798.82.

A number of other States followed suit, but have since gone on to elaborate further on their respective notification requirements. The vetoed Bill would have done the same for California law, adding requirements to provide individuals affected with specific details about any breach, such as the types of personal information affected, the date or range of dates (actual or estimated) when the breach is believed to have occurred and a general description of the breach incident. Significantly, it would also have required that any single breach affecting more than 500 Californian residents be notified to the State Attorney General.

In declining to sign the Bill the Governor cited the absence of evidence that the additional requirements would benefit consumers. In particular, he made the apparently sensible point that a requirement to tell the Attorney General’s Office about breaches affecting a lot of people doesn’t really serve much purpose if the Attorney General doesn’t have any corresponding obligations to do anything in response.

On the face of it Schwarzenegger’s approach, although apparently a surprise to those backing the Bill, looks reasonable. Why impose more detailed rules around breach notification if it doesn’t help the individuals affected? Looking at this in practical terms, would a list of all of the things listed in the Bill – exactly what happened, how and when – help the individuals affected to take steps to protect themselves against misuse of their data in all or even most of the cases in which notification is required? And even if it potentially did, how many of those people would actually proactively use that additional information for those purposes in any given case? There is surely a danger that with more detail comes an increasing administrative burden (and cost) and that that cost quickly becomes out of proportion to any benefit which the additional information brings.

In the UK at present there is no breach notification requirement. Guidance from the UK Information Commissioner’s Office states that, as a matter of good practice, data controllers should inform the ICO of any serious data security incident, with what is serious being determined by reference to the nature and extent of the personal data affected. The primary consideration according to the guidance is the likely extent of potential harm to the individuals whose data has been compromised. Separate guidance suggests broadly the same approach to informing the individuals affected, stressing that notifying them should have a clear purpose, such as allowing them to take steps to prevent or mitigate the effects of any unauthorised use of their data. Shades of Schwarzenegger’s reasoning on the Bill then.

To me, the UK’s current approach builds in the flexibility and proportionality which is essential if breach notification is to be a worthwhile exercise for everyone concerned. The danger, if the UK moved at any point to make notification mandatory, is that data controllers would be likely to “over notify”. In other words, even if the obligation was drafted to reflect the ICO’s guidance – only tell people about serious incidents and where it will help them to protect themselves – data controllers would naturally tend to tell people about every incident, removing the need to take difficult decisions about what exactly the law required of them and avoiding any risk of compliance failure. That in turn, in my view, could lead to notification “fatigue”, with individuals becoming gradually less interested in (and therefore likely to do anything with) the information sent to them.

There are of course other views on this and I would be interested to hear what any of you think. The US are obviously quite keen on their breach notification requirements, albeit that Schwarzenegger has, for now at least, halted the legislative march in California. The issue though will undoubtedly be back.