Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.
3. @stevewerby
Favorite color: Cadet blue
Hobby: Stalking divorcees under age 25
Favorite number: 6.0221415 × 10^23
Pet’s name: Cujo
Favorite movie: Santa with Muscles
Last 4 of my SSN: 6497
Place of birth: Delta City
4. Infosec since ’99 - ran 2 IT consultancies ’99-’04
Analyst at a university
Infosec since ’99 - ran 2 IT consultancies ’99-’04
Analyst at a university, CISO at state agency
@stevewerby
Infosec since ’99 - ran 2 IT consultancies ’99-’04
Analyst at a university, CISO at state agency,
CISO at a university
Infosec since ’99 - ran 2 IT consultancies ’99-’04
Analyst at a university, CISO at state agency,
CISO at a university^2
5. Today’s menu
Incidents I was involved in
Data breach notification laws - what and why
Issues
Alternatives to achieve desired goal
6. Definitions
Exposed
Made accessible to unauthorized person
Breached / compromised
Access gained by unauthorized person
Misused
Used by authorized person for unauthorized purpose
Potential
Possible != actual
7. Getting to know you
Received a data breach notification?
Been involved in handling one?
Investigated the incident that led to it?
Participated in decision about whether to notify?
Identified contact information?
Wrote notification content?
Handled notification logistics?
Answered calls from affected individuals?
Caused an incident that led to a notification?
8. Example exposures…maybe
Data sanitization vendor’s driver sold laptops
Medical provider’s computers stolen
Grade processing system stolen
Personal info exposed to unauthorized employees
Web hosting provider’s password DB compromised
Data sanitization vendor’s driver sold laptops
Medical provider’s computers stolen
Grade processing system stolen
Personal info exposed to unauthorized employees
Web hosting provider’s password DB compromised
9. $
Sony - $10s of millions
Those I’ve been involved in – 5-6 figures
12. Tip of the iceberg
Only a tiny fraction of data exposures are disclosed
13. In the beginning
Enacted in 2002, effective in 2003
Limited to data related to financial identity fraud
14. Motivation
Perception that breaches of electronic data
involving personally identifiable information was
increasing
15. Increase in electronic breaches?
Actual increase not verifiable
Doesn’t consider growth in electronic data storage
Substantial % of identity fraud not due to electronic data
Remote system accessibility & portable storage increase
Breach stats combine actual and potential
Has led to a cycle
=> More/broader/improved laws
=> more reporting
=> more individual awareness & more media coverage
=> improved security resources, processes, posture
=> more breaches discovered
=> more/broader/improved laws
16. Rationale
Provides necessary information for affected
individuals to make informed decisions to mitigate
impact
Negative consequences associated with disclosure
will result in improved security practices
18. Types of harm
Death and physical harm
Financial loss
Loss of $, loss of property, property damage
Credit score damage
Financial identity fraud
Account takeover
Account creation
Social harm
Loss of job, damage to professional opportunities
Relationships, embarrassment
19. AYCE notification
Death and physical harm
Murderers, violent offenders, mentally unstable
People with contagious disease, speeders, drunk drivers
Financial loss
Robbery, burglary, vandalism (robber, burglar, vandal)
Fraud, customer complaints, charlatans
Social harm
Insecure Wi-Fi APs, people who own binoculars
Provides necessary information for at risk
individuals to make informed decisions to
mitigate impact
Negative consequences associated with
disclosure will result in reduction in risk
20. Data breach notification laws
Federal laws
Health records – HITECH Act (via HHS and FTC)
Financial records – GLBA, FTC Safeguards Rule
Education records – FERPA
Federal agencies’ records – FISMA, OMB, VA
State+ laws
46 states (MA+NC cover paper)
DC + Puerto Rico + Virgin Islands
International
Europe
Japan
And more
22. Data breach laws - future
Federal laws
Existing laws are in flux
Overarching national law could be coming
State+ laws
Scope and other details changing
Alabama, Kentucky, New Mexico, South Dakota
Texas healthcare, California beefing theirs up
International
Europe considering expanding beyond telecom
Canada
Taiwan
23. Components
Who the law applies to
Types of data covered
State/format of data covered
What constitutes a breach
Disclosure obligations
Non-compliance ramifications
Exceptions
24. Who the law applies to
Entity || individual May specify type
Conducts biz in state
|| Maintains data of residents of state
|| Resulted in or may result in a type of harm to a
resident of the state
25. Types of data covered
(First name || first initial) && last name
+
(SSN || DL || unique government ID)
||
((Financial account # || CC # || debit card #)
&&
(Security code || password))
||
(Medical info || health insurance info)
26. State/format of data covered
Electronic In some cases paper too
Unencrypted
|| Encrypted, but key breached
|| Not redacted or altered SSN <5, DL last 4
27. What constitutes a breach
Unauthorized access and acquisition that
compromises
security || confidentiality || integrity
of a record Sometimes must be 2+ records
28. Disclosure obligations - who
Notify affected individual
|| the affected owner/licensee
Notify Office of Attorney General
Notify consumer reporting agencies
29. Disclosure obligations - when
Without reasonable delay
Sometimes immediately || within specific
timeframe
Can delay to determine scope
&& restore system integrity
&& if LEA advises disclosure will impede
investigation or national security
30. Disclosure obligations - method
Written notice
Email notice if email address is valid
&& individual permits communication via email
Telephone
Media || email || org’s website if
cost > defined threshold
|| # of recipients > defined threshold
|| contact info is unreliable or unknown
|| can’t identify affected individuals
31. Disclosure obligations - detail
General incident overview
Type of personally identifiable information
Steps that will be taken to protect further
unauthorized access
Contact phone number (if one exists)
Advice to review account information
and free credit reports
32. Non-compliance ramifications
Attorney general may bring action to
Obtain actual damages
Seek civil penalty for willful and knowing violation of
notification requirements
Federal agencies can sanction orgs
Mandate controls
Mandate audits
Affected individual can seek to recover direct
economic damages
But not $ for the time they put into doing so
33. Exceptions
Notification not required if affected individuals
unlikely to experience fraud as a result of incident
Some types of organization/sectors excluded
35. Issues – scope
Not comprehensive enough
Mostly electronic – 30% of reported breaches involve
paper; some reports indicate most breaches involve paper
What about spoken word…and smoke signals?
Focus almost entirely on financial identity fraud
Excessive notification
Only 3% of those notified of a breach experience identity
fraud as a result
Leads to ignoring, considering all the same, failure to take
action
36. Issues – ambiguity
Reasonable
Without reasonable delay
Likely
May result in harm
Likely to result in harm
Validity of contact information
Must other states’ laws be adhered to?
37. Issues – difficulty complying
Inconsistencies
Follow each state’s requirement or adhere to the
state’s requirement that’s limiting
Incompatibilities
LEA allows for delay in notification, but another state
doesn’t allow for that
Individual / small org vs. large org
38. Issues – inequitable treatment
Single incident could result in
Notification not required for some individuals
Some individuals provided different information
Some individuals less likely to receive notification
39. Issues – miscellaneous
Ways of identifying a person are myopic
Username, email address, phone number
Don’t always know residency of individual
Residency information not collected
Residency information could be stale
Phone # portability
41. Issues - rationale reality
Provides necessary
information for affected
individuals to make informed
decisions to mitigate impact
Information overload – useless information
Many actions should be taken regularly anyway
Account review, credit report review
Some actions can’t be taken
Can’t get issued new SSN or stop doing biz with gov
Risk is overblown – impact likelihood / liability
42. Issues - rationale reality
Many incidents are people failures
Affected individuals’ memories are short
Orgs’ efforts like Iridium-192
Orgs’ efforts sub-optimized
Proof’s in the pudding
Negative consequences
associated with disclosure
will result in improved
security practices
48. Alternatives – the elements
Focus on preventing unauthorized access
Focus on preventing misuse of data
Encourage individual behavior
Improve breach notification laws
49. Prevent unauthorized access
Mandate or encourage
Limiting access to unauthorized personnel
Limiting use to authorized purposes
Protection and transmission of data
Risk management
Educate authorized personnel
Increase personnel’s accountability
50. Prevent misuse of data
Focus on preventing misuse of data
Make it more difficult to access financial accounts
Make it more difficult to create financial accounts
Make it more difficult to access any accounts
Increase penalties for data theft and misuse
51. Encourage individual behavior
Preventive
Use unique passwords everywhere
Use unique usernames (I don’t eat my own dog food)
Protect your email account – keys to the kingdom
Protect the personal information you control
Detective
Check financial accounts routinely
Check credit reports routinely
52. Improve breach notification laws
Increase scope beyond financial fraud risk
Oh, Canada!
And include all types of orgs
Increase consistency in state laws
Risk-based approach
Likelihood of access, likelihood of misuse, potential impact,
org’s ability to mitigate, compensating controls, affected
individual’s ability to mitigate
Compliance status – infosec program, risk-based approach
Sanction status
Leave up to org? Or scoring system