One SEC Commissioner, Hester Peirce, voted for the brand new rule, however expressed issues it would generate notification fatigue, which may result in individuals ultimately ignoring all security notifications. “My biggest concern in regards to the rule is that its breadth may undermine the worth of the shopper notifications by making them so commonplace that folks ignore them. Sooner or later, the notifications will cease having the supposed impact. If coated establishments worry being second-guessed after making an affordable judgment to not ship a discover, they may err on the aspect of sending a discover, even when one may not be obligatory?” Peirce requested in an announcement. “How does your conduct change should you begin getting a discover each few months? Or each month? Or each week? What should you get notifications from a number of entities associated to the identical breach?”
Peirce additionally mentioned that the brand new rule could solely irritate immediately’s two-tier breach disclosure guidelines, with completely different states mandating completely different guidelines than varied federal businesses. “The trade nonetheless will deal with an array of various and generally conflicting state and federal necessities. Additional consolidation and harmonization of those necessities is a worthy objective on which federal and state regulators ought to proceed to work,” Peirce mentioned.
Brian Levine, an lawyer who’s the Ernst & Younger managing director for cybersecurity, appreciates Peirce’s place however strongly disagrees together with her conclusion. “They have to be lowering the underlying breaches and never fear about whether or not their prospects are getting desensitized to them,” Levine instructed CSO. “Notification fatigue is a really actual factor, however the answer is to have fewer breaches, not fewer notifications.”
