American International Group began spreading the word last week that information on 970,000 employees at several hundred of its prospective clients had been stolen. What's a million records when it comes on the heels of the loss of sensitive data on 26.5 million people during a burglary of the home of a Veterans Affairs employee? Plenty, when you consider that it took more than three months for the news of the AIG theft to surface.
Companies can use considerable discretion in how fast, how broadly, and under what conditions they must disclose customer data breaches, since the laws vary widely from state to state.
AIG, one of the world's largest insurance companies, says it held off announcing the theft because it didn't want to tip off the crooks--who on March 31 stole two laptops and a server from one of the company's regional offices--that they had so much sensitive information. The company also says the data was in a number of different file formats, and protected by an application that requires a user name and password to access it. AIG reasoned that if the server was sold, the hard drive most likely has been erased and written over by its new owner.
There's logic to this wishful thinking: Most hardware is ripped off because it's easy to sell, not because of what it holds. But businesses can't know a crook's motive. Businesses with customers in states with data-breach disclosure laws generally are required to notify customers as soon as possible after discovery of a data breach. But state laws don't set a specific time within which companies must comply, using language like "without unreasonable delay" and "the most expedient time possible." Most of the 33 state laws say law enforcement can delay customer notification if that would impede an investigation, says Kristen Mathews, an attorney with Brown Raysman Millstein Felder & Steiner. AIG says it was in close touch with police but wasn't asked to delay notification. Some states limit the type of company that must disclose breaches, such as only requiring it of data brokers. Some state laws also exempt companies from notifying customers if lost or stolen data has been encrypted and isn't likely to be deciphered. Simple password protection for data doesn't exempt companies, though.
Feds Haven't Taken Action
Congress has been considering a federal customer data-breach notification law for months but hasn't been able to agree on the language. The high-profile VA theft looked like it might rocket this bill ahead, but lawmakers are wrangling over how tough to make it. Some politicians want to give companies considerable discretion through a "no harm, no notice" policy, such as if the data were encrypted or otherwise unlikely to be accessed. Others want customers notified any time their data is lost or stolen.
Delayed disclosure also was an issue in the VA case. The employee's laptop and hard drive were stolen on May 3, but the public wasn't told until about three weeks later. While the VA isn't subject to the same state laws as the private sector, time is critical when personal information is stolen, as any delay prevents people from taking steps to block credit fraud, identity theft, and other crimes. ING U.S. Financial Services, which joined the data-theft club on June 12 when an agent's laptop containing personal data on 13,000 retirees and employees of the District of Columbia's local government, took five days to conduct an internal investigation and notified clients beginning June 17.
Since February 2005, more than 88 million customer records containing personal information have been lost or stolen, according to the Privacy Rights Clearinghouse. While most states threaten companies with fines for not disclosing breaches to customers, they're rare. Mathews isn't aware of any that have been issued. Would hefty fines get organizations to take data protection more seriously? With 88 million individuals exposed, the threat of public embarrassment or customer backlash doesn't seem to be doing the trick.