What would you do if you discovered thousands of consumer profiles including social security numbers in the trash or floating in cyberspace? In an act to help those affected consumers avoid damage through identity theft, would you report the breach to the data owner that presumably mishandled the information?
Alternatively, would your report your discovery to law enforcement or a regulatory body, such as your state’s privacy office or the office of the attorney general? What about reporting the breach to one of the national watchdog privacy groups? Or would it be better not to get involved?
Our experiences suggest that organizations—private, governmental and not-for-profit are irresponsive to data breach reports from third parties. It raises the question, how many breaches go unreported because there is no one willing to listen to and investigate third party reports?
Under federal laws, financial institutions, as well as many other institutions, are required to follow privacy and security best practices. Best practices include having an employee appointed by top management to oversee the privacy and secure handling of consumer information. Any of the vendors of the institutions that handle consumer information are required to do the same—appoint a privacy or security officer.
Occasionally our office has received faxes or emails from financial institutions containing sensitive financial account and other personal information about customers. For example, our office once received a 30-page mortgage application that was faxed accidentally to our number.
When we contacted the financial institutions by calling the telephone number to report the disclosure of protected information we asked for the privacy or security officer. The person answering the phone did not know how to direct us. It has taken us hours to days to succeed in reporting these violations to the appropriate employee at the financial institution so they can take appropriate action to prevent further disclosure.
Part 2 of this article will discuss a recent data breach involved over 1,600 consumers that applied online for employment through a Wisconsin financial institution’s Website. Although most of the victims were from Wisconsin, the relatively small data breach included job applicants from 20 states and U.S. territories. The example illustrates the challenges third parties face when they discover a breach and decide to report information at risk.