A Clinic study of chief security officers finds that security breach notification laws, which require governments and businesses to inform the public about unauthorized access to personal information, have had profound effects on practices within companies. We found that breach notification laws drive information exchange between organizations, and within organizations themselves. The laws have also empowered chief security officers to implement new technologies, including encryption and auditing measures, to protection for personal data. The chief security officers interviewed also reported that security hasn’t permeated the consumer marketplace, and accordingly, consumers don’t consider security in comparing products and services. Several recommendations are made, including the creation of a centralized, publicly-available database where security breaches are disclosed. This will allow security professionals to learn from others’ problems, and have the “that could have been us” realization that justifies security interventions.
Study recommending reforms for security breach notification laws.