Stephen J. Stose IST 618--Dr. Thomas MartinSyracuse University School of Information Studies Summer 2008 Data Breaches “Over 233 million data records of U.S. residents have been exposed due to security breaches since Jan 05i.” Background The Ponemon Institute, a company dedicated to advancing responsible information management policies, reports that companies in 2007 spent an average of 6.3 million dollars in costs associated with lost or stolen data, a 30% increase over the preceding yearii. This means an average cost of $197 per compromised record, up from $182. In 2008, the Identity Theft Resource Center reports a 69% increase in data breaches, 20% of which constitute lost or stolen devices, and 15% constituting “inadvertent posting.iii” The Ponemon Institute reports even higher figures for lost or stolen devices: 49% in 2006iv. Indeed, Attrition.org maintains an updated list of these breaches. Perusing the list, these and other forms of negligence, such as improperly stored and/or transmitted data, comprise the surprising majority of casesv. Indeed, current workplace habits such as downloading or copying confidential records onto personal devices, turning off security settings or firewalls, sharing passwords, or sending attachments to home computers are commonvi. These increases are startling, but may be attributed to a higher incidence of reporting the occurrence of breaches. Since California’s security breach notification legislation came into effect in 2003vii, many states now have similar notification laws, and companies are now considering their effectsviii . The U.S. (contrary to the E.U.) has no overarching law that governs how the private sector uses and protects personal information. Instead, it promotes industry self-‐‑regulation through privacy and technology statements, and opt-‐‑out standards that apply in a patchwork fashion depending on the types and uses of information collected and storedix. Two possible effects state notification laws have in common are: 1) loss of reputation and hence market share, and 2) customer re-‐‑assessment of risk in doing business with the chosen entity. We will argue in another section that notification laws are not sufficient to deter substandard data security. Additionally, these measures, while seeking to indemnify customers against actual breaches, may do nothing to prevent the breach in the first place. The Gramm-‐‑Leach-‐‑Bliley Actx is a federal regulation to prevent fraudulent access to financial information through impersonation, phone, mail, email, or phishing (15 U.S.C.
2§ 6821-‐‑6827); it also requires that institutions have information security plans enacted that specify how a company will protect and ensure the privacy of non-‐‑public personal information (15 U.S.C. § 6801-‐‑6809). These regulations apply only to financial institutions, however, and not to general small businesses, e-‐‑commerce or social-‐‑networking transactions. We believe other such over-‐‑arching regulation needs to be developed federally that covers all information collection endeavors in the new age of electronic transmissions. This should include data security and breach-‐‑notification laws, rules that specify penalties for breaches, and strong privacy laws requiring companies to disclose their privacy statements along with assumptions of transparency. The default, we believe should be more akin to opt-‐‑in; that is to say, consumers should not be required to work to keep their data secure and private. Perspective The paper is written from the perspective of an information professional, as well as a daily participant in the new world of electronic communication and commerce. My background as a social scientist enables me a high level of analysis into pertinent issues of data and its importance to the livelihood of conducting business and commerce, while still respecting fundamentally human aspects of rights to privacy, data protection, and security. These beliefs are fundamental to this analysis, and it attempts to uphold the 1974 Privacy Act as close to the letter as possible, despite trends that continue to the contrary. Nevertheless, it attempts to adapt itself to current realities, while still making recommendations believed to create a stronger, safer and more human system of electronic communications and commerce. Issue Questions The issues I will address in this paper are: 1. Is there a need for legislation to ensure that confidential information is stored securely so that the incidence of data breaches can be reduced? 2. When should those whose data has been compromised be notified of a data breach? 3. Should those whose information has been compromised be given the right to receive compensation for damages, and what actions should the company losing the data be required to take to minimize damages?
3 4. Is there a need to pass consumer privacy laws so that they impose fair information practices upon creators of databases containing confidential information? Is there a need for legislation to ensure that confidential information is stored securely so that the incidence of data breaches can be reduced? One standard, developed by the various credit card companies, is called the Payment Card Industry Data Security Standard (PCI DSS). This is now a mandatory twelve-‐‑step global standard that ensures the protection of all cardholder data, and requires external auditing if a company processes over 80,000 transactions annuallyxi. Smaller companies are required to perform self-‐‑assessments. With the bad press, many companies are now taking these assessments seriously, in order to avoid the new disclosure laws in several states requiring both individual and at times mass media notification of breaches. Many, however, argue that only six percent of all known cases of identity theft or fraud are attributable to data breaches, and that consumers are being misled about ways to prevent theftxii. We agree that the recent data breach hype, as well as the trend towards notification laws, is desensitizing individuals to its inevitability and occurrence. The same misunderstanding occurs when individuals believe hackers, malicious code and malicious insiders are responsible for data breaches, when in reality they only account for 10%, 6% and 6% of breaches respectivelyxiii. Thus, we want to stress the creation of legislation that prevents not just malicious attacks (which occur in any system, regardless of its security), but protects consumers against the creeping desensitization of the inevitability of a data breaches, such that the primary concern is not what to do when it occurs, but stresses the fact that the majority of breaches occur almost accidentally, due to negligence and poor internal management policies. Making the PCI standard part of federal legislation, perhaps as a part of the current notification legislation we will discuss soon, will serve to prevent data mis-‐‑management, such that fraud and theft are no longer an easy option. This legislation, we believe, should include an allowance for businesses that manage data to be brought into civil liability class action suits that up until now have been rejected due to no “actual harm” claims. Thus, we argue that tort law needs to catch up with the today’s increasing occurrence of internet-‐‑based harmsxiv, and impose weak liability sanctions on businesses that themselves have no active sanctions in place for the negligent behavior of its data managers and staff with access to database records.
4Additionally, since most data breaches are occurring at the mom-‐‑and-‐‑pop shop level, as they make up over 85% of credit card transactions nationwide, local business bureaus should have education plans mandated for existing companies. It was found that of 600 companies with 250 employees or fewer, 52% of them were unknowably storing sensitive customer information on their systemsxv. Thus, it seems that the credit card processing companies must be held liable for the education of their clients regarding PCI standards; that is, small businesses must be indemnified if such standards were not made apparent in their contracts, and/or if they are PCI compliant. However, if data is lost, identifiable during transmission, or posted; or if a device with data is lost or mis-‐‑managed, sanctions for negligence should be in place. In this respect, incentives at the individual and small business level for preventing security breaches before they occur would complement the punishments companies fear after they occur through the notification laws in effect today. Such security regulations that trickle down to the local level should reduce the incidence of data breaches, and not just compensate for a loss that ought not to have occurred in the first place. Thus, proper regulations will hopefully make companies rethink whether administering database records of their clients outweigh the risks associated with the sanctions in place of not having a proper security system installed that is PCI compliant, and outweighs the risks of the sanctions we will discuss below when and if a security breach does occur. The goal of this will be to force companies to take the storage and processing of personal data seriously, and perhaps create innovation to begin using internally developed identification numbers that replace other forms of identification (e.g., social security number) when tracking customer data. When should those whose data has been compromised be notified of a data breach? The first assumption that data breach notification legislation makes is that companies—to avoid being the bearer of bad news to customers, and hence reduce their confidence in the services it offers—will take steps to deter security breaches from first occurring. The second is that through notification, customers may re-‐‑assess the cost-‐‑benefit of continuing a relationship with the company. Whether or not these assumptions, which guide the recent efforts of state legislation, actually serve as a deterrent has been the subject of much academic speculationxvi. We will side with the opinion that disclosure laws, while absolutely necessary for upholding an individual’s rights to privacy, are not sufficient deterrents in themselves. California began the trend, and enacted two pieces of consumer rights legislation in 2003. The security breach statutexvii requires:
5 "ʺany person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security system…to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."ʺ As this legislation applies only to “unencrypted personal information,” in order to avoid liability under the statute, a company need only encrypt computerized non-‐‑public information. Additionally, “unauthorized” access becomes authorized once companies require need-‐‑to-‐‑know permission standards through the establishment of passwords and mandatory employee training on information security standardsxviii . We applaud this groundbreaking first attempt at providing incentive to companies to safeguard the data of their clients. Javelin Strategy and Research published a study that found 30% of consumers (in their 5 year longitudinal sample) were victims of data breach, with only 6% of those suffering identity fraudxix. Thus, notification laws, if they do function as deterrents, need go hand in hand with public education. That is, incidences of fraud were much more likely (30%) to occur due to lost or stolen personal items (e.g., wallets), suggesting that the recent public hype fed by media attention may only get worse if every time a breach occurs people must be notified by law. It is not clear whether companies are releasing data breach information because they are starting to be more vigilant in seeking breaches (presumable, because of the new laws in some states), or in order to control their public imagexx. This makes it difficult to attribute the sudden increases to more reporting, or whether it reveals actual new vulnerabilities in data processing and storage. Approximately 44 states now have notification laws, and while the rationale for these are fundamentally the same, the details widely diverge. Some states require that a credit card’s access code be divulged to justify the disclosure of breaches (e.g., California’s), while this is not so in the Kansas bill. Only some require the secure destruction of sensitive data on paper. Pennsylvania considered legislation to close the encryption exemption, requiring disclosure even if the data were originally encrypted. Eighteen states deem the “belief” (by whom?) that stolen data will “not be misused” as an exemption; and others exempt disclosure if card number have been redacted in another formxxi. These discrepancies lead to public relations issues when disclosing to customers in some states but not others, among other possible confusions nationwide. We feel strongly about five exemptions to disclosure. Firstly, in order not to unduly alert consumers, if card numbers cannot be linked to access codes, notification need not
6occur. Secondly, given that hackers can fool their way into encrypted data, and that encryption is not the end-‐‑all to protection, encryption should not automatically justify an exemption (especially if access cards are available). Thirdly, companies may not self-‐‑exempt disclosure based on their own definition of what can and cannot be “misused,” but may do so when independent auditors can make the case after an appropriate assessment of risk is carried out. Fourthly, redacted data should be exempt, but only if no link from the redacted data to the original was divulged. And fifthly, third-‐‑party credit card processing companies cannot indemnify themselves against breaches when their retail clients have not been educated regarding the storage and processing characteristics of the card-‐‑reading software packages utilized. On a similar note, and in place of all current state notification laws, is the opposite: if companies outsource customer data processing, they are still liable for how that data is processed and stored. Should those whose information has been compromised be given the right to receive compensation for damages, and what actions should the company losing the data be required to take to minimize damages? Currently, there are two bills active in the Senate (Leahy-‐‑Specter’s S.495; and Feinstein’s S.239) and two in the House (Rush and Stearn’s H.R.958; and Smith’s H.R. 836)xxii. The main issue of contention in many of these bills is whether consumer notification should occur given a “reasonable” risk of harm, or whether this risk need qualify as “significant.” In either case, and we repeat, this risk assessment must be part of an independent inquiry, and make up one of many other more objective benchmarks (e.g., as listed above), that—taken together—determine whether or not disclosure is the most prudent path. With no other sanctions in place for a breach of data, it is imperative that companies—when required by law to send out notification—are also implicated by law in offering free credit monitoring services for a to-‐‑be-‐‑specified number of years, depending on the breach severity. In other words, we are of the opinion that notification laws are in-‐‑themselves an insufficient deterrent, albeit a necessary action towards diminishing security fraud. Notification laws are an insufficient deterrent on multiple grounds. Firstly, the breach may occur at one of the “back office” processing companies (e.g., data couriers or data brokers), leading to consumer confusion regarding whether shopping elsewhere effectively punishes anybody. Also, with larger companies such as banks, consumers not only fear the cost of changing companies, they also may begin to feel its ineffectiveness, assuming all such companies are equally likely to incur a breach. As with the media hype, consumers begin to consider breaches “normal.” Companies
7often would prefer it this way, as breach desensitization leads consumers to waive market punishment; indeed, many feel such notices would lead only to “crying wolf,” bringing customers to ignore such warnings wholesalexxiii. For instance, TJX Companies Inc. incurred only a slight dip in share price when its security breach was announced in January 2007, and customers expressed lax concern given its low prices while justifying that it could have happened to any company. After a class action lawsuit was filed a few weeks later, the share price fellxxiv. Consumers also feel protected by the cardholder agreements that insulate their losses, probably forgetting that they pay for these through increasing fees; nor do they consider the extremely arduous process of identity theft recovery, which has been described as arduous and intimidatingxxv. Thus, notification may not necessarily function as an indirect form of consumer sanction, as it was originally conceived. We believe the courts need to begin to consider the prospect of allowing civil liability cases to be heard when and if it can be established that, had the breach not occurred, the theft of data would not have occurred. This causality claim has not done well in court, however, as the customer presumably submits the very data lost to many institutions other than the one that incurred the breach; nor can it be established that identity theft is an event that ordinarily does not take place when a company has not been negligentxxvi. This is to say, data security negligence does not ordinarily lead to identity theft. Given the statistics, that seems to be true, despite the hype. It also means that the personal information may have been shared with different institutions and hence misused elsewhere, invoking no liability to the company originally responsible. This is a question of privacy law, which we will come to next. Torts have also been rejected as a form of civil liability because “actual harm” is only the fear of the possibility of future harm, and so this argument has not even been able to sustain rewards of credit monitoring as personal compensation for a breachxxvii. Therefore, we believe it should not be the sole job of courts to craft solutions for each and every case of identity fraud. Instead, legislation must be drafted which allows the pinpointing of responsibility through regulatory standards. More stringent rules are needed to motivate businesses to comply with data security standards, as we discussed above. Minnesota was the first state to—in addition to enticing companies to change through the notification deterrent—also decided to punish companies by giving PCI standards a legal standing. The Plastic Card Security Actxxviii makes companies that process more than 20,000 transactions annually liable to banks and credit unions for the costs of credit card blocking and re-‐‑issuance, if sensitive information is found to be stored after certain limits, something that PCI explicitly prohibitsxxix. Massachusetts has a similar law, which includes government bodies under its definition of “commercial entityxxx.”
8 Even still, this may not be enough to get smaller companies, the 52% cited above guilty of storing sensitive nonpublic information, to comply. Often, these smaller companies are storing data without even knowing it, as the packaged payment applications they utilize store this information by default. For this reason, we are urging that the card processing (“back-‐‑office”) companies that distribute these packaged programs be held accountable for updating software packages in compliance with this regulation, as well as educate their retail clients of these storage regulations in order to indemnify themselves against future claims, thereby making the businesses themselves accountable for non-‐‑compliance. In this way, we have argued, liability claims are allowed to trickle down. As it is, many smaller businesses are being fined for security breaches they believed to have made a sincere attempt to control through firewall protection and passwords. Individuals are also a main concern. Notifications need to come with clear and concise information for how the breaching institution is going to compensate for its negligence, not just a vague and empty informational letter. If individuals are powerless in court, even as a class action, we need to see legislation at the federal level that not only protects the financial institutions, but also a statutory right of action extended to consumers. At the very least, laws are needed that require as part of notification a writ of guaranteed credit monitoring services which—in the case of credit fraud—also incur all personal costs and troubles associated with the clearing the debts and accounts created by the thieves. As it is, the Federal Trade Commission advises much persistence in getting local and state police sources to recognize fraud, a step necessary to get collection agencies to rescind their legal duty to collectxxxi. In other words, businesses should not just be held responsible for ensuring that financial institutions are covered in their losses, but that individuals are likewise covered for the costs associated with both future credit monitoring, and the larger personal costs associated with clearing the debts and accounts created by the thieves. The costs of credit monitoring should be borne by the company, such that incentive is created to re-‐‑analyze the benefit of maintaining personal data weighted against the costs of possible breaches due to disorganization, sloppy internal work ethic, file-‐‑sharing and data vending, and of course any other risk associated with PCI non-‐‑compliance. If all companies are under the same level of regulation at each level in the system (from credit card agencies, to processing companies, to retail businesses) to ensure that they are PCI compliant at the least, this is incentive enough for motivating businesses to work harder to guarantee a secure marketplace in which to do business.
9Is there a need to pass consumer privacy laws so that they impose fair information practices upon creators of databases containing confidential information? Data managers know the value of reusing data. However, few individuals believe that the personal information they provide is and can be bought and sold as a good. The questions above deal with data security and its failure. This is distinct from what companies can legally do with personal information once they have it, whether individuals are aware that companies are even gathering information about them, and hence what rights individuals have and what permissions need to be granted regarding its ownership, preservation and sharing. Given that recent news regarding data breaches are waking up individuals, privacy groups are rethinking the implications of the 1974 Privacy Actxxxii and the meaning of its “fair information practices” given the expanding intrusion of companies and government as a result of the free flow of information on the Internet. The USA Patriot Actxxxiii began an era of increased government surveillance once again, as government again began collecting data about individuals with neither consent nor recourse to oversight or legal challenge. In the European Union, on the other hand, personal privacy laws are relatively advanced. The European Commission passed Directive 95/46/EC on the “Protection of Individuals with Regard to the Processing of Personal Data and on the Movement of Such Dataxxxiv. In contradistinction, the U.S. has no overarching federal policy, preferring instead to adopt privacy legislation “as needed, ” as sectors and events see fit. For this reason, we see a proliferation of acts, such as the Video Protection Actxxxv, the Cable Television Consumer Protection and Competition Actxxxvi, the Health Insurance Portability and Accountability Act (HIPAA)xxxvii, the Childrenʹs Online Privacy Protection Act (COPPA)xxxviii , and the Fair Credit Reporting Actxxxix, among others. Former President Bill Clinton and vice-‐‑President Al Gore advised in their “Framework for Global Electronic Commerce” that “the private sector should lead,” “governments should avoid undue restrictions on electronic commerce,” and ironically even that “Electronic Commerce over the Internet should be facilitated on a global basisxl.” Advances in data mining allow searching for correlations and patterns amongst data. This is not hypothetical deduction, as in science, but hypothetical induction. A graduate student, for example, by tracking the IP fingerprints across millions of Wikipedia entries, traced a systematic deletion of critical information regarding e-‐‑voting machines, from the very company producing those machinesxli. A Carnegie Mellon professor, Latanya Sweeny, for instance, found that by just knowing an individual’s postal code and birth data, that individual’s personal information in a putatively anonymous public
10database could be identified with 69 percent accuracy, and even 87 percent if the gender is also knownxlii. Thus, while HIPAA allows a small portion of data to be utilized for marketing purposes if and only if it is stripped of all personal identifiers, data miners may re-‐‑identify the person by making correlations across other databases. We firstly believe that federal laws regarding information as sensitive medical data should in no way ever be marketed. Secondly, if the U.S. does wish to continue making piecemeal legislation on an as needed basis, basic federal rules consistent with “fair information practices” outlined in the Privacy Act must provide the unwavering fundamentals under which these piecemeal laws must conform. There are also recommendations to fight data mining indirectly xliii . For example, after records have been de-‐‑identified, average values for fields (across five to ten records) or known amounts of random noise could be used, or random amount of noise could be introduced across all records. Both methods would allow for data-‐‑analytic breakdown and accurate analyses by researchers or marketers wishing to use it in their studies. This, however, while it is a form of data encryption, does not solve the more fundamental problem of personal rights of privacy we endorse in this paper. For one, we call for a strict opt-‐‑in policy for any data sharing and marketing. That is to say, it is a dangerous default and precedent to begin requiring individuals to take active measures themselves to investigate and inform themselves regarding what a company’s plan is for the data they provide. If that plan is mere storage, users may be presented with an opt-‐‑out option; but only in this case. And when the case, consumers should not have to take active steps to opt-‐‑out. On the other hand, if the company’s plan is to share, sell, or market the data at any time, consumers must be provided with an opt-‐‑in option up front, with a summarized and understandable (i.e., not legalese) terms of the plans. Additionally, these may not be guised through formats such as opting-‐‑in or -‐‑out of newsletters or updates (a.k.a. spam). This form of opting-‐‑in or –out, whichever the case, must also be made more robust and not depend on cookies, which upon deletion (accidental or intentional) often render such agreements void. Such legislation must be passed that resists attempts by private industry lobbyists to influence these fundamental protections. Of course, given the proliferation of Acts, it is difficult to make a wholesale rejection of the current U.S. implementation of data privacy laws on a sector-‐‑by-‐‑sector basis. For this reason, we call for an overreaching federal policy that at least sets guidelines and fundamentals, as is done in the European Union, and insists that data protectors are employed to ensure compliance. Sector by sector acts may vary, but may not violate these—what should be considered—inviolate
11privacy protections in today’s age of information. They provide the control users have a right to feel against their fears—however irrational they may or may not be—of data breaches, which notification laws are just now making more salient. They also reduce the secondary and indirect need for database managers to add noise or aggregate data, or the Safe Harbor agreements that provides Europeans protections that accord with fair information policies, while denying U.S. citizens the same privacy assumptions. While we are not opposed to recent efforts by industry-‐‑led efforts to secure a standardized set of policy rules, as Trust-‐‑e and P3Pxliv have done (and indeed applaud the effort), we still argue the most basic privacy disclosures should be a fundamental right of individuals, such that these standards are required under law. Conclusion Due to recent notification laws, data breaches have penetrated the public conscious. Notification laws are an effective step in providing incentive to companies to protect their databases with rigor. These may be insufficient, nevertheless, and must accompany campaigns to balance the hype such initiatives create with education regarding the real causes of breaches. Companies at each level of credit card transactions must also incur, through federal regulation, the costs associated with breaches of non-‐‑public personal information. Incentive thus must be paired with consequences, such that companies, even small companies, are educated regarding data security standards, whereby not knowing is sufficient reason for assigning blame not just in the legal system (if necessary), but at a federal regulatory level. In addition, security must go hand in hand with privacy. Breaches of public information, while often workplace negligence, are also a reality due to lax standards harnessed through private sector lobbying that allow data sharing, selling and marketing without the consumers informed consent. These are trends that must reverse if the United States is to compete globally, and provide its own citizens with privacy protections both it and the EU grants to citizens of Europe. Opting-‐‑out should not be entrenched in the public mind as a default, whereby individuals must act to protect themselves. Privacy protections at the individual level should be pre-‐‑supposed. Footnotes
12i Privacy Rights Clearinghouse (July 11, 2008). A chronology of data breaches.http://www.privacyrights.org/ar/ChronDataBreaches.htm.ii Poneman Institute (Novermber 28, 2007). Ponemon study shows data breach costs continue to rise.http://www.pgp.com/newsroom/mediareleases/ponemon-us.html.iii Krebs, Brian (July 1, 2008). Washington Post. Data breaches are up 68% this year, nonprofit says.http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html.iv Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million.http://www.networkworld.com/news/2006/110206-data-breach-cost.html.v Data Loss Archive and Database (DLDOS). http://attrition.org/dataloss/. See also ibid.vi Ponemon Institute and RedCannon Security (Dec, 2007). Survey of US IT practitioners reveals data securitypolicies not enforced. http://www.redcannon.com/news_and_events/press_release_ponemon.html.vii S.B. 1386, codified in Cal. Civ. Code § 1798.82. A description of this law can be found atwww.privacyrights.org/ar/SecurityBreach.htm.viii For a chart of state-by-state legislation, see http://www.digestiblelaw.com/files/upload/securitybreach.pdf.ix Katz, M. L. (2008). Data security: Into the breach. The Maryland Bar Journal, 41(1).x Safeguards Rule: Laws and Rules. Pub. L. No. 106-102, Title V Subtitle A. Seehttp://www.ftc.gov/privacy/privacyinitiatives/safeguards_lr.html.xi Allan, Danny (June, 2008). Payment card industry mandate stresses importance of web application security:Recommended becomes required. http://www.net-security.org/article.php?id=1143&p=1. See also PCI SecurityStandards Council https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.xii Finextra.com (September, 2006). Data breach hype is misleading consumers—study.http://www.finextra.com/fullstory.asp?id=15860.xiii Ibid. Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million.http://www.networkworld.com/news/2006/110206-data-breach-cost.html.xiv see Rustad, M. L. & Koenig, T. H. (2005). Rebooting cybertort law. Washington Law Review Association, 80.xv Sidel, Robin (September 2007). In data leaks, culprits often are Mom, Pop.http://online.wsj.com/article/SB119042666704635941.html?mod=sphere_ts.xvi Schwartz, P. & Janger, E. (2007). Notification of data security breaches. Michigan Law Review, 105. See alsoPicanso, K. E. (2006). Protecting information security under a data breach notification law. Fordham Law Review,75.xvii SB 1386, codified as Civil Code § 1798.82, et seq.xviii Brelsford, James F. (September 2003). California raises bar on data security and privacy. FindLaw.http://library.findlaw.com/2003/Sep/30/133060.html.xix Javelin Strategy and Research (June 2008). New Javelin reearch pinpoints how institutions should respond to databreaches. http://www.javelinstrategy.com/2008/06/23/debix_06_23_08/.xx Says Linda Foley of the Identity Theft Resource Center, http://www.idtheftcenter.org/. Reported in Krebs, Brian(July 2008). Data breaches are up 69% this year, nonprofit says. Washington Post.http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html.xxi Alexander, Philip (April 2007). Data breach notification laws: A state by state perspective. Intelligent Enterprise.http://www.intelligententerprise.com/channels/information_management/showArticle.jhtml?articleID=198800638.xxii For all the details regarding each of these bills, see the Privacy and Security Law Blog athttp://www.privsecblog.com/archives/federal-legislation-pending-privacy-and-data-security-legislation-in-the-110th-congress.html.xxiii Schwartz & Janger, ibid. For a set of economic arguments, see Romanosky S., Telang R. & Acquisti, A. (2008).Do data breach disclosure laws reduce theft? Seventh Workshop on the Economics of Information Security.xxiv Wiltshire, Elaine (2007). Cyber-enemy at the gates. The bottom line, 24(8).http://www.thebottomlinenews.ca/index.php?articleid=242§ion=articlexxv Federal Trade Commission. Defend: Recover from identity fraud.http://ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html#Whatisanidentitytheftreport.xxvi Chandler, J. (2008). Negligence liability for breaches of data security. Banking and Finance Law Review, 23(2).xxvii Chandler, J. (2008), ibid.xxviii Minnesota Statute 325E.64 Access devices; breach of security (2007).https://www.revisor.leg.state.mn.us/statutes/?id=325E.64&year=2007&keyword_type=all&keyword=security+breach+liability.
13xxix Vijayan, Jaikumar (May 2007). Minnesota gives PCI rules a legal standing. Computer World.http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=standards_and_legal_issues&articleId=293804&taxonomyId=146.xxx Massachusetts House Bill No. 213 (2007). http://www.mass.gov/legis/bills/house/185/ht00pdf/ht00213.pdfxxxi Federal Trade Commission. Defend: Recover from identity theft.http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html.xxxii P.L. 93-579, 88 Stat. 1897, 5 U.S.C. § 552a (1974).xxxiii P.L. 107-56, 115 Stat. 272 (2001), then later P.L. 109-77 (2006).xxxiv Directive 95/46/EC was implemented in 1995 by the European Commission. http://www.cdt.org/privacy/eudirective/EU_Directive_.html. xxxv 18 U.S.C. § 2710 (2002). http://epic.org/privacy/vppa/.xxxvi P.L.102-385 (2002). http://projects.washingtonpost.com/congress/102/bills/s_12/.xxxvii P.L. 104-191 (1996). http://www.ihs.gov/AdminMngrResources/HIPAA/.xxxviii 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728 (2000). http://epic.org/privacy/kids/.xxxix 15 U.S.C. § 1681 et seq (1996). http://www.consumersunion.org/pub/core_financial_services/000745.html.xl A Framework for Global Electronic Commerce, The White House (July 1997).http://www.technology.gov/digeconomy/framewrk.htm.xli Borland, J. (August 2007). See who’s editing Wikipedia—Diebold, the CIA, a campaign. Wired.http://www.wired.com/politics/onlinerights/news/2007/08/wiki_tracker.xlii Reported in Edelstein, H. & Millenstein, J. (Dec 2003). DM Review Magazine.http://www.dmreview.com/issues/20031201/7768-1.html.xliii For example, see again Edelstein, H. & Millenstein, J. ibid.xliv See www.truste.org and www.w3.org/P3P respectively.