Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Breaches


Published on

  • Be the first to comment

  • Be the first to like this

Data Breaches

  1. 1. Stephen J. Stose IST 618--Dr. Thomas MartinSyracuse University School of Information Studies Summer 2008   Data  Breaches     “Over  233  million  data  records  of  U.S.  residents  have  been  exposed  due  to  security   breaches  since  Jan  05i.”    Background  The  Ponemon  Institute,  a  company  dedicated  to  advancing  responsible  information  management  policies,  reports  that  companies  in  2007  spent  an  average  of  6.3  million  dollars  in  costs  associated  with  lost  or  stolen  data,  a  30%  increase  over  the  preceding  yearii.  This  means  an  average  cost  of  $197  per  compromised  record,  up  from  $182.    In  2008,  the  Identity  Theft  Resource  Center  reports  a  69%  increase  in  data  breaches,  20%  of  which  constitute  lost  or  stolen  devices,  and  15%  constituting  “inadvertent  posting.iii”  The  Ponemon  Institute  reports  even  higher  figures  for  lost  or  stolen  devices:  49%  in  2006iv.  Indeed,  maintains  an  updated  list  of  these  breaches.  Perusing  the  list,  these  and  other  forms  of  negligence,  such  as  improperly  stored  and/or  transmitted  data,  comprise  the  surprising  majority  of  casesv.  Indeed,  current  workplace  habits  such  as  downloading  or  copying  confidential  records  onto  personal  devices,  turning  off  security  settings  or  firewalls,  sharing  passwords,  or  sending  attachments  to  home  computers  are  commonvi.      These  increases  are  startling,  but  may  be  attributed  to  a  higher  incidence  of  reporting  the  occurrence  of  breaches.  Since  California’s  security  breach  notification  legislation  came  into  effect  in  2003vii,  many  states  now  have  similar  notification  laws,  and  companies  are  now  considering  their  effectsviii .  The  U.S.  (contrary  to  the  E.U.)  has  no  overarching  law  that  governs  how  the  private  sector  uses  and  protects  personal  information.  Instead,  it  promotes  industry  self-­‐‑regulation  through  privacy  and  technology  statements,  and  opt-­‐‑out  standards  that  apply  in  a  patchwork  fashion  depending  on  the  types  and  uses  of  information  collected  and  storedix.  Two  possible  effects  state  notification  laws  have  in  common  are:  1)  loss  of  reputation  and  hence  market  share,  and  2)  customer  re-­‐‑assessment  of  risk  in  doing  business  with  the  chosen  entity.    We  will  argue  in  another  section  that  notification  laws  are  not  sufficient  to  deter  substandard  data  security.  Additionally,  these  measures,  while  seeking  to  indemnify  customers  against  actual  breaches,  may  do  nothing  to  prevent  the  breach  in  the  first  place.      The  Gramm-­‐‑Leach-­‐‑Bliley  Actx  is  a  federal  regulation  to  prevent  fraudulent  access  to  financial  information  through  impersonation,  phone,  mail,  email,  or  phishing  (15  U.S.C.  
  2. 2. 2§  6821-­‐‑6827);  it  also  requires  that  institutions  have  information  security  plans  enacted  that  specify  how  a  company  will  protect  and  ensure  the  privacy  of  non-­‐‑public  personal  information  (15  U.S.C.  §  6801-­‐‑6809).    These  regulations  apply  only  to  financial  institutions,  however,  and  not  to  general  small  businesses,  e-­‐‑commerce  or  social-­‐‑networking  transactions.      We  believe  other  such  over-­‐‑arching  regulation  needs  to  be  developed  federally  that  covers  all  information  collection  endeavors  in  the  new  age  of  electronic  transmissions.  This  should  include  data  security  and  breach-­‐‑notification  laws,  rules  that  specify  penalties  for  breaches,  and  strong  privacy  laws  requiring  companies  to  disclose  their  privacy  statements  along  with  assumptions  of  transparency.  The  default,  we  believe  should  be  more  akin  to  opt-­‐‑in;  that  is  to  say,  consumers  should  not  be  required  to  work  to  keep  their  data  secure  and  private.      Perspective    The  paper  is  written  from  the  perspective  of  an  information  professional,  as  well  as  a  daily  participant  in  the  new  world  of  electronic  communication  and  commerce.    My  background  as  a  social  scientist  enables  me  a  high  level  of  analysis  into  pertinent  issues  of  data  and  its  importance  to  the  livelihood  of  conducting  business  and  commerce,  while  still  respecting  fundamentally  human  aspects  of  rights  to  privacy,  data  protection,  and  security.  These  beliefs  are  fundamental  to  this  analysis,  and  it  attempts  to  uphold  the  1974  Privacy  Act  as  close  to  the  letter  as  possible,  despite  trends  that  continue  to  the  contrary.  Nevertheless,  it  attempts  to  adapt  itself  to  current  realities,  while  still  making  recommendations  believed  to  create  a  stronger,  safer  and  more  human  system  of  electronic  communications  and  commerce.        Issue  Questions    The  issues  I  will  address  in  this  paper  are:     1. Is  there  a  need  for  legislation  to  ensure  that  confidential  information  is  stored   securely  so  that  the  incidence  of  data  breaches  can  be  reduced?   2. When  should  those  whose  data  has  been  compromised  be  notified  of  a  data   breach?   3. Should  those  whose  information  has  been  compromised  be  given  the  right  to   receive  compensation  for  damages,  and  what  actions  should  the  company   losing  the  data  be  required  to  take  to  minimize  damages?  
  3. 3. 3 4. Is  there  a  need  to  pass  consumer  privacy  laws  so  that  they  impose  fair   information  practices  upon  creators  of  databases  containing  confidential   information?      Is  there  a  need  for  legislation  to  ensure  that  confidential  information  is  stored  securely  so  that  the  incidence  of  data  breaches  can  be  reduced?      One  standard,  developed  by  the  various  credit  card  companies,  is  called  the  Payment  Card  Industry  Data  Security  Standard  (PCI  DSS).  This  is  now  a  mandatory  twelve-­‐‑step  global  standard  that  ensures  the  protection  of  all  cardholder  data,  and  requires  external  auditing  if  a  company  processes  over  80,000  transactions  annuallyxi.  Smaller  companies  are  required  to  perform  self-­‐‑assessments.  With  the  bad  press,  many  companies  are  now  taking  these  assessments  seriously,  in  order  to  avoid  the  new  disclosure  laws  in  several  states  requiring  both  individual  and  at  times  mass  media  notification  of  breaches.      Many,  however,  argue  that  only  six  percent  of  all  known  cases  of  identity  theft  or  fraud  are  attributable  to  data  breaches,  and  that  consumers  are  being  misled  about  ways  to  prevent  theftxii.    We  agree  that  the  recent  data  breach  hype,  as  well  as  the  trend  towards  notification  laws,  is  desensitizing  individuals  to  its  inevitability  and  occurrence.  The  same  misunderstanding  occurs  when  individuals  believe  hackers,  malicious  code  and  malicious  insiders  are  responsible  for  data  breaches,  when  in  reality  they  only  account  for  10%,  6%  and  6%  of  breaches  respectivelyxiii.      Thus,  we  want  to  stress  the  creation  of  legislation  that  prevents  not  just  malicious  attacks  (which  occur  in  any  system,  regardless  of  its  security),  but  protects  consumers  against  the  creeping  desensitization  of  the  inevitability  of  a  data  breaches,  such  that  the  primary  concern  is  not  what  to  do  when  it  occurs,  but  stresses  the  fact  that  the  majority  of  breaches  occur  almost  accidentally,  due  to  negligence  and  poor  internal  management  policies.  Making  the  PCI  standard  part  of  federal  legislation,  perhaps  as  a  part  of  the  current  notification  legislation  we  will  discuss  soon,  will  serve  to  prevent  data  mis-­‐‑management,  such  that  fraud  and  theft  are  no  longer  an  easy  option.  This  legislation,  we  believe,  should  include  an  allowance  for  businesses  that  manage  data  to  be  brought  into  civil  liability  class  action  suits  that  up  until  now  have  been  rejected  due  to  no  “actual  harm”  claims.  Thus,  we  argue  that  tort  law  needs  to  catch  up  with  the  today’s  increasing  occurrence  of  internet-­‐‑based  harmsxiv,  and  impose  weak  liability  sanctions  on  businesses  that  themselves  have  no  active  sanctions  in  place  for  the  negligent  behavior  of  its  data  managers  and  staff  with  access  to  database  records.      
  4. 4. 4Additionally,  since  most  data  breaches  are  occurring  at  the  mom-­‐‑and-­‐‑pop  shop  level,  as  they  make  up  over  85%  of  credit  card  transactions  nationwide,  local  business  bureaus  should  have  education  plans  mandated  for  existing  companies.  It  was  found  that  of  600  companies  with  250  employees  or  fewer,  52%  of  them  were  unknowably  storing  sensitive  customer  information  on  their  systemsxv.  Thus,  it  seems  that  the  credit  card  processing  companies  must  be  held  liable  for  the  education  of  their  clients  regarding  PCI  standards;  that  is,  small  businesses  must  be  indemnified  if  such  standards  were  not  made  apparent  in  their  contracts,  and/or  if  they  are  PCI  compliant.  However,  if  data  is  lost,  identifiable  during  transmission,  or  posted;  or  if  a  device  with  data  is  lost  or  mis-­‐‑managed,  sanctions  for  negligence  should  be  in  place.    In  this  respect,  incentives  at  the  individual  and  small  business  level  for  preventing  security  breaches  before  they  occur  would  complement  the  punishments  companies  fear  after  they  occur  through  the  notification  laws  in  effect  today.    Such  security  regulations  that  trickle  down  to  the  local  level  should  reduce  the  incidence  of  data  breaches,  and  not  just  compensate  for  a  loss  that  ought  not  to  have  occurred  in  the  first  place.      Thus,  proper  regulations  will  hopefully  make  companies  rethink  whether  administering  database  records  of  their  clients  outweigh  the  risks  associated  with  the  sanctions  in  place  of  not  having  a  proper  security  system  installed  that  is  PCI  compliant,  and  outweighs  the  risks  of  the  sanctions  we  will  discuss  below  when  and  if  a  security  breach  does  occur.  The  goal  of  this  will  be  to  force  companies  to  take  the  storage  and  processing  of  personal  data  seriously,  and  perhaps  create  innovation  to  begin  using  internally  developed  identification  numbers  that  replace  other  forms  of  identification  (e.g.,  social  security  number)  when  tracking  customer  data.        When  should  those  whose  data  has  been  compromised  be  notified  of  a  data  breach?    The  first  assumption  that  data  breach  notification  legislation  makes  is  that  companies—to  avoid  being  the  bearer  of  bad  news  to  customers,  and  hence  reduce  their  confidence  in  the  services  it  offers—will  take  steps  to  deter  security  breaches  from  first  occurring.  The  second  is  that  through  notification,  customers  may  re-­‐‑assess  the  cost-­‐‑benefit  of  continuing  a  relationship  with  the  company.  Whether  or  not  these  assumptions,  which  guide  the  recent  efforts  of  state  legislation,  actually  serve  as  a  deterrent  has  been  the  subject  of  much  academic  speculationxvi.    We  will  side  with  the  opinion  that  disclosure  laws,  while  absolutely  necessary  for  upholding  an  individual’s  rights  to  privacy,  are  not  sufficient  deterrents  in  themselves.  California  began  the  trend,  and  enacted  two  pieces  of  consumer  rights  legislation  in  2003.  The  security  breach  statutexvii  requires:      
  5. 5. 5   "ʺany  person  or  business  that  conducts  business  in  California,  and  that  owns  or     licenses  computerized  data  that  includes  personal  information,  [to]  disclose  any     breach  of  the  security  system…to  any  resident  of  California  whose  unencrypted     personal  information  was,  or  is  reasonably  believed  to  have  been,  acquired  by     an  unauthorized  person."ʺ        As  this  legislation  applies  only  to  “unencrypted  personal  information,”  in  order  to  avoid  liability  under  the  statute,  a  company  need  only  encrypt  computerized  non-­‐‑public  information.  Additionally,  “unauthorized”  access  becomes  authorized  once  companies  require  need-­‐‑to-­‐‑know  permission  standards  through  the  establishment  of  passwords  and  mandatory  employee  training  on  information  security  standardsxviii .  We  applaud  this  groundbreaking  first  attempt  at  providing  incentive  to  companies  to  safeguard  the  data  of  their  clients.        Javelin  Strategy  and  Research  published  a  study  that  found  30%  of  consumers  (in  their  5  year  longitudinal  sample)  were  victims  of  data  breach,  with  only  6%  of  those  suffering  identity  fraudxix.  Thus,  notification  laws,  if  they  do  function  as  deterrents,  need  go  hand  in  hand  with  public  education.  That  is,  incidences  of  fraud  were  much  more  likely  (30%)  to  occur  due  to  lost  or  stolen  personal  items  (e.g.,  wallets),  suggesting  that  the  recent  public  hype  fed  by  media  attention  may  only  get  worse  if  every  time  a  breach  occurs  people  must  be  notified  by  law.  It  is  not  clear  whether  companies  are  releasing  data  breach  information  because  they  are  starting  to  be  more  vigilant  in  seeking  breaches  (presumable,  because  of  the  new  laws  in  some  states),  or  in  order  to  control  their  public  imagexx.  This  makes  it  difficult  to  attribute  the  sudden  increases  to  more  reporting,  or  whether  it  reveals  actual  new  vulnerabilities  in  data  processing  and  storage.      Approximately  44  states  now  have  notification  laws,  and  while  the  rationale  for  these  are  fundamentally  the  same,  the  details  widely  diverge.    Some  states  require  that  a  credit  card’s  access  code  be  divulged  to  justify  the  disclosure  of  breaches  (e.g.,  California’s),  while  this  is  not  so  in  the  Kansas  bill.  Only  some  require  the  secure  destruction  of  sensitive  data  on  paper.  Pennsylvania  considered  legislation  to  close  the  encryption  exemption,  requiring  disclosure  even  if  the  data  were  originally  encrypted.    Eighteen  states  deem  the  “belief”  (by  whom?)  that  stolen  data  will  “not  be  misused”  as  an  exemption;  and  others  exempt  disclosure  if  card  number  have  been  redacted  in  another  formxxi.  These  discrepancies  lead  to  public  relations  issues  when  disclosing  to  customers  in  some  states  but  not  others,  among  other  possible  confusions  nationwide.    We  feel  strongly  about  five  exemptions  to  disclosure.  Firstly,  in  order  not  to  unduly  alert  consumers,  if  card  numbers  cannot  be  linked  to  access  codes,  notification  need  not  
  6. 6. 6occur.  Secondly,  given  that  hackers  can  fool  their  way  into  encrypted  data,  and  that  encryption  is  not  the  end-­‐‑all  to  protection,  encryption  should  not  automatically  justify  an  exemption  (especially  if  access  cards  are  available).  Thirdly,  companies  may  not  self-­‐‑exempt  disclosure  based  on  their  own  definition  of  what  can  and  cannot  be  “misused,”  but  may  do  so  when  independent  auditors  can  make  the  case  after  an  appropriate  assessment  of  risk  is  carried  out.  Fourthly,  redacted  data  should  be  exempt,  but  only  if  no  link  from  the  redacted  data  to  the  original  was  divulged.  And  fifthly,  third-­‐‑party  credit  card  processing  companies  cannot  indemnify  themselves  against  breaches  when  their  retail  clients  have  not  been  educated  regarding  the  storage  and  processing  characteristics  of  the  card-­‐‑reading  software  packages  utilized.  On  a  similar  note,  and  in  place  of  all  current  state  notification  laws,  is  the  opposite:  if  companies  outsource  customer  data  processing,  they  are  still  liable  for  how  that  data  is  processed  and  stored.          Should  those  whose  information  has  been  compromised  be  given  the  right  to  receive  compensation  for  damages,  and  what  actions  should  the  company  losing  the  data  be  required  to  take  to  minimize  damages?    Currently,  there  are  two  bills  active  in  the  Senate  (Leahy-­‐‑Specter’s  S.495;  and  Feinstein’s  S.239)  and  two  in  the  House  (Rush  and  Stearn’s  H.R.958;  and  Smith’s  H.R.  836)xxii.    The  main  issue  of  contention  in  many  of  these  bills  is  whether  consumer  notification  should  occur  given  a  “reasonable”  risk  of  harm,  or  whether  this  risk  need  qualify  as  “significant.”    In  either  case,  and  we  repeat,  this  risk  assessment  must  be  part  of  an  independent  inquiry,  and  make  up  one  of  many  other  more  objective  benchmarks  (e.g.,  as  listed  above),  that—taken  together—determine  whether  or  not  disclosure  is  the  most  prudent  path.    With  no  other  sanctions  in  place  for  a  breach  of  data,  it  is  imperative  that  companies—when  required  by  law  to  send  out  notification—are  also  implicated  by  law  in  offering  free  credit  monitoring  services  for  a  to-­‐‑be-­‐‑specified  number  of  years,  depending  on  the  breach  severity.  In  other  words,  we  are  of  the  opinion  that  notification  laws  are  in-­‐‑themselves  an  insufficient  deterrent,  albeit  a  necessary  action  towards  diminishing  security  fraud.        Notification  laws  are  an  insufficient  deterrent  on  multiple  grounds.  Firstly,  the  breach  may  occur  at  one  of  the  “back  office”  processing  companies  (e.g.,  data  couriers  or  data  brokers),  leading  to  consumer  confusion  regarding  whether  shopping  elsewhere  effectively  punishes  anybody.  Also,  with  larger  companies  such  as  banks,  consumers  not  only  fear  the  cost  of  changing  companies,  they  also  may  begin  to  feel  its  ineffectiveness,  assuming  all  such  companies  are  equally  likely  to  incur  a  breach.  As  with  the  media  hype,  consumers  begin  to  consider  breaches  “normal.”    Companies  
  7. 7. 7often  would  prefer  it  this  way,  as  breach  desensitization  leads  consumers  to  waive  market  punishment;  indeed,  many  feel  such  notices  would  lead  only  to  “crying  wolf,”  bringing  customers  to  ignore  such  warnings  wholesalexxiii.  For  instance,  TJX  Companies  Inc.  incurred  only  a  slight  dip  in  share  price  when  its  security  breach  was  announced  in  January  2007,  and  customers  expressed  lax  concern  given  its  low  prices  while  justifying  that  it  could  have  happened  to  any  company.  After  a  class  action  lawsuit  was  filed  a  few  weeks  later,  the  share  price  fellxxiv.  Consumers  also  feel  protected  by  the  cardholder  agreements  that  insulate  their  losses,  probably  forgetting  that  they  pay  for  these  through  increasing  fees;  nor  do  they  consider  the  extremely  arduous  process  of  identity  theft  recovery,  which  has  been  described  as  arduous  and  intimidatingxxv.  Thus,  notification  may  not  necessarily  function  as  an  indirect  form  of  consumer  sanction,  as  it  was  originally  conceived.    We  believe  the  courts  need  to  begin  to  consider  the  prospect  of  allowing  civil  liability  cases  to  be  heard  when  and  if  it  can  be  established  that,  had  the  breach  not  occurred,  the  theft  of  data  would  not  have  occurred.  This  causality  claim  has  not  done  well  in  court,  however,  as  the  customer  presumably  submits  the  very  data  lost  to  many  institutions  other  than  the  one  that  incurred  the  breach;  nor  can  it  be  established  that  identity  theft  is  an  event  that  ordinarily  does  not  take  place  when  a  company  has  not  been  negligentxxvi.  This  is  to  say,  data  security  negligence  does  not  ordinarily  lead  to  identity  theft.    Given  the  statistics,  that  seems  to  be  true,  despite  the  hype.  It  also  means  that  the  personal  information  may  have  been  shared  with  different  institutions  and  hence  misused  elsewhere,  invoking  no  liability  to  the  company  originally  responsible.  This  is  a  question  of  privacy  law,  which  we  will  come  to  next.  Torts  have  also  been  rejected  as  a  form  of  civil  liability  because  “actual  harm”  is  only  the  fear  of  the  possibility  of  future  harm,  and  so  this  argument  has  not  even  been  able  to  sustain  rewards  of  credit  monitoring  as  personal  compensation  for  a  breachxxvii.        Therefore,  we  believe  it  should  not  be  the  sole  job  of  courts  to  craft  solutions  for  each  and  every  case  of  identity  fraud.  Instead,  legislation  must  be  drafted  which  allows  the  pinpointing  of  responsibility  through  regulatory  standards.  More  stringent  rules  are  needed  to  motivate  businesses  to  comply  with  data  security  standards,  as  we  discussed  above.  Minnesota  was  the  first  state  to—in  addition  to  enticing  companies  to  change  through  the  notification  deterrent—also  decided  to  punish  companies  by  giving  PCI  standards  a  legal  standing.  The  Plastic  Card  Security  Actxxviii  makes  companies  that  process  more  than  20,000  transactions  annually  liable  to  banks  and  credit  unions  for  the  costs  of  credit  card  blocking  and  re-­‐‑issuance,  if  sensitive  information  is  found  to  be  stored  after  certain  limits,  something  that  PCI  explicitly  prohibitsxxix.  Massachusetts  has  a  similar  law,  which  includes  government  bodies  under  its  definition  of  “commercial  entityxxx.”  
  8. 8. 8  Even  still,  this  may  not  be  enough  to  get  smaller  companies,  the  52%  cited  above  guilty  of  storing  sensitive  nonpublic  information,  to  comply.  Often,  these  smaller  companies  are  storing  data  without  even  knowing  it,  as  the  packaged  payment  applications  they  utilize  store  this  information  by  default.  For  this  reason,  we  are  urging  that  the  card  processing  (“back-­‐‑office”)  companies  that  distribute  these  packaged  programs  be  held  accountable  for  updating  software  packages  in  compliance  with  this  regulation,  as  well  as  educate  their  retail  clients  of  these  storage  regulations  in  order  to  indemnify  themselves  against  future  claims,  thereby  making  the  businesses  themselves  accountable  for  non-­‐‑compliance.  In  this  way,  we  have  argued,  liability  claims  are  allowed  to  trickle  down.    As  it  is,  many  smaller  businesses  are  being  fined  for  security  breaches  they  believed  to  have  made  a  sincere  attempt  to  control  through  firewall  protection  and  passwords.      Individuals  are  also  a  main  concern.  Notifications  need  to  come  with  clear  and  concise  information  for  how  the  breaching  institution  is  going  to  compensate  for  its  negligence,  not  just  a  vague  and  empty  informational  letter.  If  individuals  are  powerless  in  court,  even  as  a  class  action,  we  need  to  see  legislation  at  the  federal  level  that  not  only  protects  the  financial  institutions,  but  also  a  statutory  right  of  action  extended  to  consumers.  At  the  very  least,  laws  are  needed  that  require  as  part  of  notification  a  writ  of  guaranteed  credit  monitoring  services  which—in  the  case  of  credit  fraud—also  incur  all  personal  costs  and  troubles  associated  with  the  clearing  the  debts  and  accounts  created  by  the  thieves.  As  it  is,  the  Federal  Trade  Commission  advises  much  persistence  in  getting  local  and  state  police  sources  to  recognize  fraud,  a  step  necessary  to  get  collection  agencies  to  rescind  their  legal  duty  to  collectxxxi.  In  other  words,  businesses  should  not  just  be  held  responsible  for  ensuring  that  financial  institutions  are  covered  in  their  losses,  but  that  individuals  are  likewise  covered  for  the  costs  associated  with  both  future  credit  monitoring,  and  the  larger  personal  costs  associated  with  clearing  the  debts  and  accounts  created  by  the  thieves.    The  costs  of  credit  monitoring  should  be  borne  by  the  company,  such  that  incentive  is  created  to  re-­‐‑analyze  the  benefit  of  maintaining  personal  data  weighted  against  the  costs  of  possible  breaches  due  to  disorganization,  sloppy  internal  work  ethic,  file-­‐‑sharing  and  data  vending,  and  of  course  any  other  risk  associated  with  PCI  non-­‐‑compliance.    If  all  companies  are  under  the  same  level  of  regulation  at  each  level  in  the  system  (from  credit  card  agencies,  to  processing  companies,  to  retail  businesses)  to  ensure  that  they  are  PCI  compliant  at  the  least,  this  is  incentive  enough  for  motivating  businesses  to  work  harder  to  guarantee  a  secure  marketplace  in  which  to  do  business.            
  9. 9. 9Is  there  a  need  to  pass  consumer  privacy  laws  so  that  they  impose  fair  information  practices  upon  creators  of  databases  containing  confidential  information?    Data  managers  know  the  value  of  reusing  data.  However,  few  individuals  believe  that  the  personal  information  they  provide  is  and  can  be  bought  and  sold  as  a  good.  The  questions  above  deal  with  data  security  and  its  failure.  This  is  distinct  from  what  companies  can  legally  do  with  personal  information  once  they  have  it,  whether  individuals  are  aware  that  companies  are  even  gathering  information  about  them,  and  hence  what  rights  individuals  have  and  what  permissions  need  to  be  granted  regarding  its  ownership,  preservation  and  sharing.  Given  that  recent  news  regarding  data  breaches  are  waking  up  individuals,  privacy  groups  are  rethinking  the  implications  of  the  1974  Privacy  Actxxxii  and  the  meaning  of  its  “fair  information  practices”  given  the  expanding  intrusion  of  companies  and  government  as  a  result  of  the  free  flow  of  information  on  the  Internet.    The  USA  Patriot  Actxxxiii  began  an  era  of  increased  government  surveillance  once  again,  as  government  again  began  collecting  data  about  individuals  with  neither  consent  nor  recourse  to  oversight  or  legal  challenge.  In  the  European  Union,  on  the  other  hand,  personal  privacy  laws  are  relatively  advanced.    The  European  Commission  passed  Directive  95/46/EC  on  the  “Protection  of  Individuals  with  Regard  to  the  Processing  of  Personal  Data  and  on  the  Movement  of  Such  Dataxxxiv.    In  contradistinction,  the  U.S.  has  no  overarching  federal  policy,  preferring  instead  to  adopt  privacy  legislation  “as  needed,  ”  as  sectors  and  events  see  fit.  For  this  reason,  we  see  a  proliferation  of  acts,  such  as  the  Video  Protection  Actxxxv,  the  Cable  Television  Consumer  Protection  and  Competition  Actxxxvi,  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)xxxvii,  the  Childrenʹs  Online  Privacy  Protection  Act  (COPPA)xxxviii ,  and  the  Fair  Credit  Reporting  Actxxxix,  among  others.  Former  President  Bill  Clinton  and  vice-­‐‑President  Al  Gore  advised  in  their  “Framework  for  Global  Electronic  Commerce”  that  “the  private  sector  should  lead,”  “governments  should  avoid  undue  restrictions  on  electronic  commerce,”  and  ironically  even  that  “Electronic  Commerce  over  the  Internet  should  be  facilitated  on  a  global  basisxl.”        Advances  in  data  mining  allow  searching  for  correlations  and  patterns  amongst  data.  This  is  not  hypothetical  deduction,  as  in  science,  but  hypothetical  induction.  A  graduate  student,  for  example,  by  tracking  the  IP  fingerprints  across  millions  of  Wikipedia  entries,  traced  a  systematic  deletion  of  critical  information  regarding  e-­‐‑voting  machines,  from  the  very  company  producing  those  machinesxli.  A  Carnegie  Mellon  professor,  Latanya  Sweeny,  for  instance,  found  that  by  just  knowing  an  individual’s  postal  code  and  birth  data,  that  individual’s  personal  information  in  a  putatively  anonymous  public  
  10. 10. 10database  could  be  identified  with  69  percent  accuracy,  and  even  87  percent  if  the  gender  is  also  knownxlii.      Thus,  while  HIPAA  allows  a  small  portion  of  data  to  be  utilized  for  marketing  purposes  if  and  only  if  it  is  stripped  of  all  personal  identifiers,  data  miners  may  re-­‐‑identify  the  person  by  making  correlations  across  other  databases.  We  firstly  believe  that  federal  laws  regarding  information  as  sensitive  medical  data  should  in  no  way  ever  be  marketed.  Secondly,  if  the  U.S.  does  wish  to  continue  making  piecemeal  legislation  on  an  as  needed  basis,  basic  federal  rules  consistent  with  “fair  information  practices”  outlined  in  the  Privacy  Act  must  provide  the  unwavering  fundamentals  under  which  these  piecemeal  laws  must  conform.      There  are  also  recommendations  to  fight  data  mining  indirectly  xliii .  For  example,  after  records  have  been  de-­‐‑identified,  average  values  for  fields  (across  five  to  ten  records)  or  known  amounts  of  random  noise  could  be  used,  or  random  amount  of  noise  could  be  introduced  across  all  records.    Both  methods  would  allow  for  data-­‐‑analytic  breakdown  and  accurate  analyses  by  researchers  or  marketers  wishing  to  use  it  in  their  studies.  This,  however,  while  it  is  a  form  of  data  encryption,  does  not  solve  the  more  fundamental  problem  of  personal  rights  of  privacy  we  endorse  in  this  paper.      For  one,  we  call  for  a  strict  opt-­‐‑in  policy  for  any  data  sharing  and  marketing.    That  is  to  say,  it  is  a  dangerous  default  and  precedent  to  begin  requiring  individuals  to  take  active  measures  themselves  to  investigate  and  inform  themselves  regarding  what  a  company’s  plan  is  for  the  data  they  provide.  If  that  plan  is  mere  storage,  users  may  be  presented  with  an  opt-­‐‑out  option;  but  only  in  this  case.  And  when  the  case,  consumers  should  not  have  to  take  active  steps  to  opt-­‐‑out.  On  the  other  hand,  if  the  company’s  plan  is  to  share,  sell,  or  market  the  data  at  any  time,  consumers  must  be  provided  with  an  opt-­‐‑in  option  up  front,  with  a  summarized  and  understandable  (i.e.,  not  legalese)  terms  of  the  plans.  Additionally,  these  may  not  be  guised  through  formats  such  as  opting-­‐‑in  or  -­‐‑out  of  newsletters  or  updates  (a.k.a.  spam).  This  form  of  opting-­‐‑in  or  –out,  whichever  the  case,  must  also  be  made  more  robust  and  not  depend  on  cookies,  which  upon  deletion  (accidental  or  intentional)  often  render  such  agreements  void.      Such  legislation  must  be  passed  that  resists  attempts  by  private  industry  lobbyists  to  influence  these  fundamental  protections.  Of  course,  given  the  proliferation  of  Acts,  it  is  difficult  to  make  a  wholesale  rejection  of  the  current  U.S.  implementation  of  data  privacy  laws  on  a  sector-­‐‑by-­‐‑sector  basis.  For  this  reason,  we  call  for  an  overreaching  federal  policy  that  at  least  sets  guidelines  and  fundamentals,  as  is  done  in  the  European  Union,  and  insists  that  data  protectors  are  employed  to  ensure  compliance.  Sector  by  sector  acts  may  vary,  but  may  not  violate  these—what  should  be  considered—inviolate  
  11. 11. 11privacy  protections  in  today’s  age  of  information.  They  provide  the  control  users  have  a  right  to  feel  against  their  fears—however  irrational  they  may  or  may  not  be—of  data  breaches,  which  notification  laws  are  just  now  making  more  salient.    They  also  reduce  the  secondary  and  indirect  need  for  database  managers  to  add  noise  or  aggregate  data,  or  the  Safe  Harbor  agreements  that  provides  Europeans  protections  that  accord  with  fair  information  policies,  while  denying  U.S.  citizens  the  same  privacy  assumptions.  While  we  are  not  opposed  to  recent  efforts  by  industry-­‐‑led  efforts  to  secure  a  standardized  set  of  policy  rules,  as  Trust-­‐‑e  and  P3Pxliv  have  done  (and  indeed  applaud  the  effort),  we  still  argue  the  most  basic  privacy  disclosures  should  be  a  fundamental  right  of  individuals,  such  that  these  standards  are  required  under  law.      Conclusion      Due  to  recent  notification  laws,  data  breaches  have  penetrated  the  public  conscious.  Notification  laws  are  an  effective  step  in  providing  incentive  to  companies  to  protect  their  databases  with  rigor.  These  may  be  insufficient,  nevertheless,  and  must  accompany  campaigns  to  balance  the  hype  such  initiatives  create  with  education  regarding  the  real  causes  of  breaches.  Companies  at  each  level  of  credit  card  transactions  must  also  incur,  through  federal  regulation,  the  costs  associated  with  breaches  of  non-­‐‑public  personal  information.  Incentive  thus  must  be  paired  with  consequences,  such  that  companies,  even  small  companies,  are  educated  regarding  data  security  standards,  whereby  not  knowing  is  sufficient  reason  for  assigning  blame  not  just  in  the  legal  system  (if  necessary),  but  at  a  federal  regulatory  level.  In  addition,  security  must  go  hand  in  hand  with  privacy.  Breaches  of  public  information,  while  often  workplace  negligence,  are  also  a  reality  due  to  lax  standards  harnessed  through  private  sector  lobbying  that  allow  data  sharing,  selling  and  marketing  without  the  consumers  informed  consent.  These  are  trends  that  must  reverse  if  the  United  States  is  to  compete  globally,  and  provide  its  own  citizens  with  privacy  protections  both  it  and  the  EU  grants  to  citizens  of  Europe.  Opting-­‐‑out  should  not  be  entrenched  in  the  public  mind  as  a  default,  whereby  individuals  must  act  to  protect  themselves.  Privacy  protections  at  the  individual  level  should  be  pre-­‐‑supposed.                  Footnotes  
  12. 12. 12i Privacy Rights Clearinghouse (July 11, 2008). A chronology of data breaches. Poneman Institute (Novermber 28, 2007). Ponemon study shows data breach costs continue to rise. Krebs, Brian (July 1, 2008). Washington Post. Data breaches are up 68% this year, nonprofit says. Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million. Data Loss Archive and Database (DLDOS). See also Ponemon Institute and RedCannon Security (Dec, 2007). Survey of US IT practitioners reveals data securitypolicies not enforced. S.B. 1386, codified in Cal. Civ. Code § 1798.82. A description of this law can be found For a chart of state-by-state legislation, see Katz, M. L. (2008). Data security: Into the breach. The Maryland Bar Journal, 41(1).x Safeguards Rule: Laws and Rules. Pub. L. No. 106-102, Title V Subtitle A. See Allan, Danny (June, 2008). Payment card industry mandate stresses importance of web application security:Recommended becomes required. See also PCI SecurityStandards Council (September, 2006). Data breach hype is misleading consumers—study. Ibid. Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million. see Rustad, M. L. & Koenig, T. H. (2005). Rebooting cybertort law. Washington Law Review Association, 80.xv Sidel, Robin (September 2007). In data leaks, culprits often are Mom, Pop. Schwartz, P. & Janger, E. (2007). Notification of data security breaches. Michigan Law Review, 105. See alsoPicanso, K. E. (2006). Protecting information security under a data breach notification law. Fordham Law Review,75.xvii SB  1386,  codified  as  Civil  Code  §  1798.82,  et  seq.xviii Brelsford, James F. (September 2003). California raises bar on data security and privacy. FindLaw. Javelin Strategy and Research (June 2008). New Javelin reearch pinpoints how institutions should respond to databreaches. Says Linda Foley of the Identity Theft Resource Center, Reported in Krebs, Brian(July 2008). Data breaches are up 69% this year, nonprofit says. Washington Post. Alexander, Philip (April 2007). Data breach notification laws: A state by state perspective. Intelligent Enterprise. For all the details regarding each of these bills, see the Privacy and Security Law Blog at Schwartz & Janger, ibid. For a set of economic arguments, see Romanosky S., Telang R. & Acquisti, A. (2008).Do data breach disclosure laws reduce theft? Seventh Workshop on the Economics of Information Security.xxiv Wiltshire, Elaine (2007). Cyber-enemy at the gates. The bottom line, 24(8). Federal Trade Commission. Defend: Recover from identity fraud. Chandler, J. (2008). Negligence liability for breaches of data security. Banking and Finance Law Review, 23(2).xxvii Chandler, J. (2008), ibid.xxviii Minnesota Statute 325E.64 Access devices; breach of security (2007).
  13. 13. 13xxix Vijayan, Jaikumar (May 2007). Minnesota gives PCI rules a legal standing. Computer World. Massachusetts House Bill No. 213 (2007). Federal Trade Commission. Defend: Recover from identity theft. P.L. 93-579, 88 Stat. 1897, 5 U.S.C. § 552a (1974).xxxiii P.L. 107-56, 115 Stat. 272 (2001), then later P.L. 109-77 (2006).xxxiv Directive  95/46/EC  was  implemented  in  1995  by  the  European  Commission.    xxxv 18 U.S.C. § 2710 (2002). P.L.102-385 (2002). P.L. 104-191 (1996). 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728 (2000). 15 U.S.C. § 1681 et seq (1996). A Framework for Global Electronic Commerce, The White House (July 1997). Borland, J. (August 2007). See who’s editing Wikipedia—Diebold, the CIA, a campaign. Wired. Reported in Edelstein, H. & Millenstein, J. (Dec 2003). DM Review Magazine. For example, see again Edelstein, H. & Millenstein, J. ibid.xliv See and respectively.