Another SEC Commissioner, Hester Peirce, voted in favor of the new rule, but expressed concern that it could create notice fatigue, which could lead people to ignore all security notices. “What worries me the most about this law is that its scope may reduce the number of customer notifications by making them a commonplace and people ignore them. Sometimes, notifications will stop having the intended effect. If covered institutions are afraid of being second-guessed after making a reasonable decision not to send a notice, will they err on the side of sending a notice, even if there is no need? Peirce asked in a statement. “How does your behavior change when you start getting notifications every few months? Or every month? Or every week? What if you receive notices from multiple companies related to the same violation?”
Peirce also said the new law would only exacerbate today’s two-tiered breach disclosure laws, where different states pass different laws than different agencies of government. “The industry will still face a number of different and sometimes conflicting requirements with the government. The continued integration and harmonization of these requirements is a worthy goal toward which federal and state regulators must continue to work,” said Peirce.
Brian Levine, a lawyer who is Ernst & Young’s managing director of cybersecurity, appreciates Peirce’s position but strongly disagrees with his conclusion. “They need to reduce the number of violations and not worry about their customers becoming sensitive to them,” Levine told CSO. “Notification fatigue is real, but the solution is to have fewer breaches, not fewer notifications.”
Source link