The University of California, Berkeley Samuelson Law, Technology, & Public Policy Clinic has published a study on data breach notification laws. This study found that public release of data breach information has had a positive effect on company security policies.

The study interviewed security officers about organizational structure and security decisions, facts affecting investment decisions and responses to not just the breach notification laws but the market effects of breaches. Essentially, the latter question looked at the corporate response to publicly reported breaches in other companies. The survey also looked at a myriad of literature on changes in the IT security world to supplement this qualitative data.

The study found that the laws drive information exchange between organizations, and within organizations, and have empowered security officers to increase security measures.

Regardless of the risk of identity theft and alleged consumer apathy towards notices, the simple fact of having to publicly notify causes organizations to implement stronger security standards that protect personal information.

The disclosure of security breaches has encouraged the sharing of information among security professionals. I would suggest that the same pattern of communication among security professionals has been mirrored in the media; that data breach notifications have encouraged a discorse about security issues in the news and on blogs such as this one.

One CSO interviewed summarizes data breaches with ‘lessons learned’ and circulates this information to staff. Others use the information to patch systems that have been proven vulnerable in a disclosed data breach.

Aside from the organization’s own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness.

Unfortunately, 2007 has proven to be a bad year for data breaches, with the numbers climbing significantly. Despite the positive indications of this survey, previous surveys and continuous breaches show that not enough companies have taken such a proactive approach to data security. Time will tell if these lessons are internalized by more companies in 2008, or if the breach toll will continue to rise.

One of the areas of improvement identified by the study was to clarify the technology provisions available to companies beyond encryption. Encryption is the most cited technology in breach news, but it is merely the base level of security protection. Companies such as Absolute Software exist to offer levels of protection above and beyond that.

Read the full study here [PDF]

Via schneier Tags: breach notification, data breach, data breach notification, security, policy, legislature, law, it security, disclosure