Breach Notification: Time for a Wake Up CallSeptember 2, 2011 – Articles CIO Insight
The scope of information that requires public disclosure in the event of a data breach is growing exponentially. For example, an email address that is verified as associated with a particular business is infinitely more valuable to phishing scammers than an email address and a guess. CIOs now have the unenviable task of discussing a broad range of data losses with legal, marketing and risk assessment professionals.
In case you haven't heard, the days of having no obligation to notify consumers of a data breach or loss that involves only email addresses may have ended. This should be a major wakeup call for every CIO.
Historically, a business and its CIO were only required to be concerned about personally identifiable information. In other words, if a business did not collect banking information, Social Security numbers, medical information or similar data, then the duty to report a breach or loss only arose in the event that the business had contractually promised its customers that it would do so.