Saturday, September 17, 2011

Changes in Public Disclosure Laws

Today’s businesses cannot just take it for granted when their customers’ email addresses are stolen or lost. Such occurrences might already carry with it legal obligation to notify their customers about the data breach. Changes are going on here and there in the privacy arena that serves as a wake-up call to businesses and CIOs.

Major changes are being implemented in the way businesses are held accountable for the safety of personal information. Public disclosure of data breaches is applied on a wider scale so quickly that it seems difficult for many businesses to cope with it. They have one question, and that is “which kind of data legally requires public disclosure?”.

It used to be that businesses and CIOs had only to deal with the problem if “personally identifiable information” was lost or stolen . This means that a company is required to disclose only if it collects information that can identify, or be traced back to a person. This is data that involves, among others, a user’s bank accounts, Social Security numbers, medical information and others. The business has the obligation to inform the owners of any data breach.

When only the names of customers are lost or stolen, the business is not required to notify the customers involved. It would not be the same if together with the stolen names are the customers’ Social Security numbers or their email addresses. With these, there is enough information that could give hackers a better chance at intruding into the privacy of the customers.

Hackers will try all means to figure out the password to an email address. When he or she succeeds, it would open them to the virtual world of the account’s owner. Many users use the same passwords in their email, banking, and social networking accounts despite continuous education. This situation alone explains why businesses should not be lenient when it comes to protecting personally identifiable information.

After the hackers gain access to users’ accounts, it is possible for customers to receive emails from one of their “contacts”. Chances are that users would treat the email as reliable because it comes from one of their associates. But when the customers enter their usernames and passwords, all of their useful information, which could also include those of their contacts, is stolen. This case shows that simple loss of email addresses can pose a great risk. It then becomes an issue of public disclosure on the part of any business community.

Image: sheelamohan / FreeDigitalPhotos.net

No comments: