In February, Congress held a hearing on data breach disclosure rules. For two hours, members of the Subcommittee on Financial Institutions and Consumer Credit wrestled with when companies should disclose a breach, what they should disclose, and whether the United States should have one standard for breach disclosure nationwide.
Don’t die of shock here, but the hearing didn’t result in much consensus.
On the contrary, debate among lawmakers and five panelists invited to speak underlined the profoundly different approaches to personal data that are emerging today — with corporate compliance officers, and the breach response programs you oversee, caught in the middle.
On one side is what we could call the “pro-company” view. It’s better that companies give consumers accurate information about a breach, this thinking goes, so therefore companies should have an appropriate amount of time to compile that analysis. Maybe it’s 72 hours, maybe one week; maybe the company even determines this window for itself, based on the circumstances at hand.
On the other side is the “pro-consumer” view. This group says it’s better that companies give consumers immediate information about a breach, and therefore regulators are well within rights to specify some fixed period of time. One example would be the European Union’s General Data Protection Regulation, and its requirement for disclosure of a breach within 72 hours of a company discovering it.
We could spend many hours debating the merits of each camp. Or we could ask the real question that drives this debate: Who owns personally identifiable information?
That’s what questions about breach disclosure are all about, really. If your answer to the above question is, “I own my PII, It’s about me!” then naturally you want to know as soon as possible when your property is damaged. For example, if a friend borrows your car and wrecks it, you want to know immediately. You don’t care about giving the friend extra time to compile an accident reconstruction analysis with local police.
If your answer is, “The company owns any PII it collects or that customers voluntarily give to it,” then logically the company can take more time. Yes, most companies will still strive to disclose information to aggrieved consumers, but it’s a lesser duty of care since the data belongs to the company.
On Demand Webinar: Top 5 Privacy Concerns CCOs Should Care About
Difference in Data Privacy between the EU & U.S.
Compliance officers at large organizations have no easy path forward here, since powerful forces align with both camps. For example, the GDPR assumes that personally identifiable information belongs to the person, and that stance is rooted in deeply held cultural norms Europeans have about privacy.
The United States, meanwhile, has a much more mixed position, because we have never answered the “Who owns PII?” question clearly and definitively. Instead we have a hodgepodge of disclosure regulations that vary by state, industry, and type of data. We also have a bad habit of deciding to regulate after some big policy failure, rather than before it.
GDPR or Not, It’s Just Good Practice
On a practical level, ethics and compliance officers are well-served simply to implement the GDPR’s standards in all their fine detail. First, if you do business in Europe or handle data of EU citizens, you don’t have much choice.
More broadly, the fundamentals of GDPR compliance — risk assessment, vendor management, employee compliance training, escalation procedures after a breach — are all going to help your organization anyway.
The GDPR might be ahead of the strategic business imperative right now, but the imperative will catch up.
Think about it. If you could build a compliance program that delivered all those privacy protections for “sensitive intellectual property” rather than “personally identifiable information,” would your CEO and board be annoyed? No. They’d love you for it.
The GDPR is setting a high standard for privacy and good data stewardship that, eventually, all companies will need to achieve simply because of how the modern IT environment is evolving. The GDPR might be ahead of the strategic business imperative right now, but the imperative will catch up.
And lastly, the GDPR’s stance on PII seems to be on the right side of history. Not long ago I spoke with a privacy lawyer and joked about the potential for a California Data Protection Regulation. He chuckled, then paused thoughtfully, and said, “Actually, that’s not funny.”
I’m not sure whether the spread of GDPR privacy expectations would be funny or not. But compliance officers might want to err on the side of caution, and assume it’s inevitable.
Top 10 White Paper: Data Privacy Has Become a Bigger Blip on the CCO Radar