Breach Notification Loopholes (was Have you stayed at a Radisson since last November?)

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ethan Ackerman <eackerma () u washington edu>
Date: August 20, 2009 11:45:57 AM EDT
To: dave () farber net
Subject: Re: [IP] Breach Notification Loopholes (was Have you stayed  
at a  Radisson since last November?)
Reply-To: eackerma () u washington edu

Greetings Dave,

Gordon's questions about the timing of the Radisson notification show
to a little-known but fairly large loophole in many data breach
notification laws.

Most notification laws have a (mostly sensible) exception that
notification isn't required, or in some cases even permitted, if
notification would impede an active law enforcement investigation.
You don't want to tip off an active intruder if there's a good chance
the cops are working to catch him.

Realizing that data breach notification laws were passing in almost
every state, lobbyists for those opposed to such laws seized on this
provision to water down the bills.  As a result many notification laws
now allow _the breached company_ to decide whether notification would
interfere with an investigation.  In other cases, a company could
indefinitely avoid notification even after an investigation is
completed, on the grounds of the initial (but completed)
investigation.  Some states even granted a related exception to
notification if the company determined after an investigation that a
breach wasn't "material" (in the company's opinion).

A few states are moving to tighten some of these loopholes.  For
example, Maine just amended its law to require notice within 7 days
after law enforcement officials give the all clear.

see   privacylaw.proskauer.com/2009/05/articles/security-breach- 
notification-l/seven-days-is-all-she-wrote-/



On Thu, Aug 20, 2009 at 10:49 AM, David Farber<dave () farber net> wrote:
> Begin forwarded message:
>
> From: Gordon Syme <gordon () twiceasgood net>
> Date: August 20, 2009 4:45:24 AM EDT
> To: dave () farber net
> Subject: Re: [IP] Have you stayed at a Radisson since last November?
>
> Prof. Farber, for IP if you deem fit
>
> On Wed, 2009-08-19 at 14:28 -0400, David Farber wrote:
> > Begin forwarded message:
> > From: Randall <rvh40 () insightbb com>
> > Date: August 19, 2009 2:16:40 PM EDT
> > To: David Farber <dave () farber net>, Dewayne Hendricks
> > <dewayne () warpspeed com
> > > , johnmacsgroup () yahoogroups com
> >
> > Subject: Have you stayed at a Radisson since last November?
> >
> > http://www.radisson.com/openletter/openletter-faq.html
> >
> > What happened?  When did it happen?
> > Between November 2008 and May 2009, the computer systems of some
> > Radisson® hotels in the U.S. and Canada were accessed without
> > authorization.  This unauthorized access was in violation of both
> > civil and criminal laws.  Radisson has been coordinating with federal
> > law enforcement to assist in their investigation of this incident.
> >
> > Why didn't you notify me sooner?
> > Working closely with law enforcement and forensic investigators, it
> > has taken some time to analyze the origins and extent of the
> > unauthorized access.
>
> Why not notify people immediately when the breach is discovered? The
> "origins and extent" of the breach don't materially affect any of the
> individuals whose personal information may have been compromised. The
> important thing here is that the information was compromised. Are  
> these
> affected people really going to take different measures based on where
> their information went?
>
> The text of the letter makes it seem like the breach was discovered in
> May 2009. It is now August, giving the bad guys at least two full  
> months
> to work with the information they acquired.
>
> Surely the responsible approach is notify everybody immediately and  
> work
> out exactly what happened later? Better to notify too many people
> quickly than notify exactly the affected people after their personal
> information has already been put to nefarious purposes.
>
> -Gordon
>
>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com