Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.

1. Data Breach Notification Laws
Time for a Pimp Slap
10/21/2011
Steve Werby
Chief Information Security Officer
University of Texas at San Antonio

2. Pimp slap
 A powerful, backhanded slap to the face

3. @stevewerby
 Favorite color: Cadet blue
 Hobby: Stalking divorcees under age 25
 Favorite number: 6.0221415 × 10^23
 Pet’s name: Cujo
 Favorite movie: Santa with Muscles
 Last 4 of my SSN: 6497
 Place of birth: Delta City

4.  Infosec since ’99 - ran 2 IT consultancies ’99-’04
 Analyst at a university
 Infosec since ’99 - ran 2 IT consultancies ’99-’04
 Analyst at a university, CISO at state agency
@stevewerby
 Infosec since ’99 - ran 2 IT consultancies ’99-’04
 Analyst at a university, CISO at state agency,
CISO at a university
 Infosec since ’99 - ran 2 IT consultancies ’99-’04
 Analyst at a university, CISO at state agency,
CISO at a university^2

5. Today’s menu
 Incidents I was involved in
 Data breach notification laws - what and why
 Issues
 Alternatives to achieve desired goal

6. Definitions
 Exposed
 Made accessible to unauthorized person
 Breached / compromised
 Access gained by unauthorized person
 Misused
 Used by authorized person for unauthorized purpose
 Potential
 Possible != actual

7. Getting to know you
 Received a data breach notification?
 Been involved in handling one?
 Investigated the incident that led to it?
 Participated in decision about whether to notify?
 Identified contact information?
 Wrote notification content?
 Handled notification logistics?
 Answered calls from affected individuals?
 Caused an incident that led to a notification?

8. Example exposures…maybe
 Data sanitization vendor’s driver sold laptops
 Medical provider’s computers stolen
 Grade processing system stolen
 Personal info exposed to unauthorized employees
 Web hosting provider’s password DB compromised
 Data sanitization vendor’s driver sold laptops
 Medical provider’s computers stolen
 Grade processing system stolen
 Personal info exposed to unauthorized employees
 Web hosting provider’s password DB compromised

9. $
 Sony - $10s of millions
 Those I’ve been involved in – 5-6 figures

10.  3rd-party forensic analysis - $222,000
 Legal consultant - $100,000
 Communications consultant - $50,000
 Notification and credit protection - $3,700,000
 Reputational damage - ?
 Employee time - ?
$
 12/15/2010
Ohio State exposure of 760,000 individuals
names, DOBs, SSNs

11. 2 recent examples
 TRICARE
 Stanford Hospital

12. Tip of the iceberg
 Only a tiny fraction of data exposures are disclosed

13. In the beginning
 Enacted in 2002, effective in 2003
 Limited to data related to financial identity fraud

14. Motivation
 Perception that breaches of electronic data
involving personally identifiable information was
increasing

15. Increase in electronic breaches?
 Actual increase not verifiable
 Doesn’t consider growth in electronic data storage
 Substantial % of identity fraud not due to electronic data
 Remote system accessibility & portable storage increase
 Breach stats combine actual and potential
 Has led to a cycle
=> More/broader/improved laws
=> more reporting
=> more individual awareness & more media coverage
=> improved security resources, processes, posture
=> more breaches discovered
=> more/broader/improved laws

16. Rationale
 Provides necessary information for affected
individuals to make informed decisions to mitigate
impact
 Negative consequences associated with disclosure
will result in improved security practices

17. Boom goes the dynamite

18. Types of harm
 Death and physical harm
 Financial loss
 Loss of $, loss of property, property damage
 Credit score damage
 Financial identity fraud
 Account takeover
 Account creation
 Social harm
 Loss of job, damage to professional opportunities
 Relationships, embarrassment

19. AYCE notification
 Death and physical harm
 Murderers, violent offenders, mentally unstable
 People with contagious disease, speeders, drunk drivers
 Financial loss
 Robbery, burglary, vandalism (robber, burglar, vandal)
 Fraud, customer complaints, charlatans
 Social harm
 Insecure Wi-Fi APs, people who own binoculars
 Provides necessary information for at risk
individuals to make informed decisions to
mitigate impact
 Negative consequences associated with
disclosure will result in reduction in risk

20. Data breach notification laws
 Federal laws
 Health records – HITECH Act (via HHS and FTC)
 Financial records – GLBA, FTC Safeguards Rule
 Education records – FERPA
 Federal agencies’ records – FISMA, OMB, VA
 State+ laws
 46 states (MA+NC cover paper)
 DC + Puerto Rico + Virgin Islands
 International
 Europe
 Japan
 And more

21. Data breach notification laws

22. Data breach laws - future
 Federal laws
 Existing laws are in flux
 Overarching national law could be coming
 State+ laws
 Scope and other details changing
 Alabama, Kentucky, New Mexico, South Dakota
 Texas healthcare, California beefing theirs up
 International
 Europe considering expanding beyond telecom
 Canada
 Taiwan

23. Components
 Who the law applies to
 Types of data covered
 State/format of data covered
 What constitutes a breach
 Disclosure obligations
 Non-compliance ramifications
 Exceptions

24. Who the law applies to
 Entity || individual May specify type
 Conducts biz in state
|| Maintains data of residents of state
|| Resulted in or may result in a type of harm to a
resident of the state

25. Types of data covered
 (First name || first initial) && last name
+
(SSN || DL || unique government ID)
||
((Financial account # || CC # || debit card #)
&&
(Security code || password))
||
(Medical info || health insurance info)

26. State/format of data covered
 Electronic In some cases paper too
 Unencrypted
|| Encrypted, but key breached
|| Not redacted or altered SSN <5, DL last 4

27. What constitutes a breach
 Unauthorized access and acquisition that
compromises
security || confidentiality || integrity
of a record Sometimes must be 2+ records

28. Disclosure obligations - who
 Notify affected individual
|| the affected owner/licensee
 Notify Office of Attorney General
 Notify consumer reporting agencies

29. Disclosure obligations - when
 Without reasonable delay
Sometimes immediately || within specific
timeframe
 Can delay to determine scope
&& restore system integrity
&& if LEA advises disclosure will impede
investigation or national security

30. Disclosure obligations - method
 Written notice
 Email notice if email address is valid
&& individual permits communication via email
 Telephone
 Media || email || org’s website if
cost > defined threshold
|| # of recipients > defined threshold
|| contact info is unreliable or unknown
|| can’t identify affected individuals

31. Disclosure obligations - detail
 General incident overview
 Type of personally identifiable information
 Steps that will be taken to protect further
unauthorized access
 Contact phone number (if one exists)
 Advice to review account information
and free credit reports

32. Non-compliance ramifications
 Attorney general may bring action to
 Obtain actual damages
 Seek civil penalty for willful and knowing violation of
notification requirements
 Federal agencies can sanction orgs
 Mandate controls
 Mandate audits
 Affected individual can seek to recover direct
economic damages
 But not $ for the time they put into doing so

33. Exceptions
 Notification not required if affected individuals
unlikely to experience fraud as a result of incident
 Some types of organization/sectors excluded

34. Data breach notification laws

35. Issues – scope
 Not comprehensive enough
 Mostly electronic – 30% of reported breaches involve
paper; some reports indicate most breaches involve paper
 What about spoken word…and smoke signals?
 Focus almost entirely on financial identity fraud
 Excessive notification
 Only 3% of those notified of a breach experience identity
fraud as a result
 Leads to ignoring, considering all the same, failure to take
action

36. Issues – ambiguity
 Reasonable
 Without reasonable delay
 Likely
 May result in harm
 Likely to result in harm
 Validity of contact information
 Must other states’ laws be adhered to?

37. Issues – difficulty complying
 Inconsistencies
 Follow each state’s requirement or adhere to the
state’s requirement that’s limiting
 Incompatibilities
 LEA allows for delay in notification, but another state
doesn’t allow for that
 Individual / small org vs. large org

38. Issues – inequitable treatment
 Single incident could result in
 Notification not required for some individuals
 Some individuals provided different information
 Some individuals less likely to receive notification

39. Issues – miscellaneous
 Ways of identifying a person are myopic
 Username, email address, phone number
 Don’t always know residency of individual
 Residency information not collected
 Residency information could be stale
 Phone # portability

40. Issues – incentives
 Avoidance $ < notification $ + notification impact
$?

41. Issues - rationale reality
 Provides necessary
information for affected
individuals to make informed
decisions to mitigate impact
 Information overload – useless information
 Many actions should be taken regularly anyway
 Account review, credit report review
 Some actions can’t be taken
 Can’t get issued new SSN or stop doing biz with gov
 Risk is overblown – impact likelihood / liability

42. Issues - rationale reality
 Many incidents are people failures
 Affected individuals’ memories are short
 Orgs’ efforts like Iridium-192
 Orgs’ efforts sub-optimized
 Proof’s in the pudding
 Negative consequences
associated with disclosure
will result in improved
security practices

43. Pimp slap

44. Alternatives

45. Plan 1
 Play Angry Birds and just don’t sweat it

46. Plan 2
 Fine violators $100 billion

47. Plan 3
 Make all information public

48. Alternatives – the elements
 Focus on preventing unauthorized access
 Focus on preventing misuse of data
 Encourage individual behavior
 Improve breach notification laws

49. Prevent unauthorized access
 Mandate or encourage
 Limiting access to unauthorized personnel
 Limiting use to authorized purposes
 Protection and transmission of data
 Risk management
 Educate authorized personnel
 Increase personnel’s accountability

50. Prevent misuse of data
 Focus on preventing misuse of data
 Make it more difficult to access financial accounts
 Make it more difficult to create financial accounts
 Make it more difficult to access any accounts
 Increase penalties for data theft and misuse

51. Encourage individual behavior
 Preventive
 Use unique passwords everywhere
 Use unique usernames (I don’t eat my own dog food)
 Protect your email account – keys to the kingdom
 Protect the personal information you control
 Detective
 Check financial accounts routinely
 Check credit reports routinely

52. Improve breach notification laws
 Increase scope beyond financial fraud risk
 Oh, Canada!
 And include all types of orgs
 Increase consistency in state laws
 Risk-based approach
 Likelihood of access, likelihood of misuse, potential impact,
org’s ability to mitigate, compensating controls, affected
individual’s ability to mitigate
 Compliance status – infosec program, risk-based approach
 Sanction status
 Leave up to org? Or scoring system

53. Improve breach notification laws
 Consistent reporting format
 Increase information that’s shared
 Reduce PR speak
 Clearly describe risk
 Clearly describe recommended actions

54. Improve breach notification laws
 Tiered notification
 Tier 1 – track internally, make available for audit,
notify internal personnel
 Tier 2 – notify national authority and internal
personnel
 Tier 3 – notify affected individuals
 Notification methods
 To affected individual – base on org’s size
 National database – public and private views

55. Questions and discussion
?

56. Contact me
 <myfirstname>@<mylastname>.com
 @stevewerby
 3 blocks from 29.431057° N, 98.490522° W