Breach Notification Escape Mechanisms

[lyger <lyger () attrition org>]

(commentary on securityfocus.com debit-card fraud article posted earlier)

http://www.emergentchaos.com/archives/2006/03/breach_notification_escap.html

In a somewhat incendiary piece published today at Securityfocus.com, 
Robert Lemos reports on loopholes in notification laws which permit firms 
to avoid informing people that their personal information has been 
revealed.

According to the article, which along with unnamed "security experts" also 
cites industry notable Avivah Levitan, "[t]here are three cases in which a 
company suffering a breach can bypass current notification laws". First is 
if notification would impede an investigation by law enforcement, then:

     If the stolen data includes identifiable information--such as debit 
card account numbers and PINs--but not the names of consumers, then a 
loophole in the law allows the company who failed to protect the data to 
also forego notification. Finally, if the database holding the personal 
information was encrypted but the encryption key was also stolen, then the 
company responsible for the data can again withhold its warning.

Not quite. At least one state has a law that closes the quoted loopholes.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/