Data Breach Notifications: Time For Tough Love

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/compliance/data-breach-notifications-time-for-tough-love/d/d-id/1113739

Should businesses that suffer a data breach be legally required to issue a
prompt notification to affected consumers?

The White House thinks so. Mythili Raman, the acting assistant attorney
general at the Department of Justice, told the Senate Judiciary Committee
Tuesday that the White House is proposing the creation of a "consistent
national standard" that would require businesses to "provide prompt notice
to consumers in the wake of a breach." Breaches involving sensitive
information pertaining to 5,000 or more people, as well as any breach
involving federal or law enforcement databases, would also have to be
reported to federal law enforcement agencies within 10 days of being
discovered.

What counts as prompt? A suit filed last month by California attorney
general Kamala Harris against Kaiser Foundation Health Plan provides one
answer. In 2011, Kaiser lost a hard drive that contained personal
information -- names, addresses, birth dates, Social Security numbers --
for 20,539 Kaiser employees and their families. "Kaiser regained custody of
the hard drive in December 2011 and conducted a forensic analysis to
determine the types of data it contained," according to a blog post from
the law firm Hogan Lovells.

Kaiser officials then waited three months to notify affected individuals.
California state law requires breached organizations to notify affected
consumers "in the most expedient time possible and without unreasonable
delay." Cue the state suing Kaiser for $2,500 for each violation -- which
could add up to a $51.3 million fine. "The state alleges that this
three-month delay was unwarranted and violated California's unfair
competition law," according to Hogan Lovells.

Eva Casey Velasquez, president and CEO of the nonprofit Identity Theft
Resource Center (ITRC), told us that, besides helping to protect affected
consumers, states use breach notification laws to deter otherwise
legitimate businesses from cutting corners. "Law enforcement also has that
obligation to ensure that they keep that playing field level, so businesses
don't have an unfair advantage if they don't disclose that information."

In the wake of the breaches at Target, Neiman Marcus, and other retailers,
requiring breached businesses to issue prompt and informative notifications
to affected consumers has become a legislative rallying cry. "I am working
on legislation that would foster quicker notification by replacing the
multiple -- and sometimes conflicting -- state notification regimes with a
single, uniform federal breach notification regime," Rep. Lee Terry (R-NE)
said Wednesday during a House Energy and Commerce Committee hearing.

Likewise, Sen. Dianne Feinstein (D-CA) -- co-author of the Data Security
and Breach Notification Act introduced Jan. 30 -- has argued that
businesses should make a prompt notification directly to affected
consumers. "The public notification is always vague," she said at the
Senate Judiciary Committee hearing Tuesday.

This isn't the first time some legislators have attempted to tackle these
issues. Feinstein introduced a national mandatory breach notification bill
in 2003. It died, as have subsequent efforts.

Instead, many US organizations are now governed by a patchwork of
notification requirements, including laws on the books in 47 states --
Alabama, Michigan, and Missouri, you're out of luck -- only some of which
require direct consumer notification. Health data breaches involving 500 or
more records, meanwhile, require that a notification be made directly to
affected people, while smaller breaches must only be reported annually to
the Department of Health and Human Services.

But, as Feinstein has noted, not all notifications are created equal. Over
the past seven years, for example, 42% of reported breaches haven't
detailed -- to state attorneys general or affected consumers -- the number
of compromised records, according to the ITRC, which tracks public breach
notifications. A whopping one-third of notifications don't include any
details about the breach.

In other words, not all businesses behave like Target, which issued a clear
notification to affected consumers within seven days, and then again in
January, after investigators found 70 million customer records had been
stolen. Likewise, Neiman Marcus said it notified affected customers 37 days
after learning about the breach, which involved up to 1.1 million credit
cards. But Feinstein (a Neiman Marcus shopper) said Tuesday that she'd
received no such notification.

Timing wise, those two retailers were on the hook after journalist Brian
Krebs published separate reports that payment processors had traced unusual
levels of fraud to both of those businesses. They had little choice but to
own up -- and quickly.

Why not hold all breached businesses to a preset consumer-notification
timeline? In fact, the ITRC's Casey Velasquez warned against that approach
and said some breaches are more complex than others. "We have to weigh the
right of people to know that their information has been breached and
compromised with the good of knowing all of the information at once."

She also warned against trickling information out to affected consumers.
"I'm not certain that it's better to tell people in chunks. If you say
something like 'You must notify them within 24 hours,' and you aren't able
to give them the full picture... that does more harm than good." Partially
notified consumers have no way of knowing what, if any, actual risks they
might face. Breach fatigue -- and subsequent inertia -- may also result.

The Target and Neiman Marcus breaches aside, the widespread paucity of
particulars in notifications suggests that many breached businesses haven't
invested in an IT infrastructure -- backed by rigorous security policies --
designed to help digital forensic investigators unpeel hack attacks. Take
this week's disclosure by St. Joseph Health System that it suffered a
security breach from Dec. 16 to Dec. 18. Officials said the breach may have
exposed 405,000 past and current patients' records, as well as employee
information. But digital forensic investigators hired by the hospital can't
tell for sure.

Incomplete breach notifications make a mockery of any notion of corporate
responsibility, especially given the immense amount of wasted time and
stress -- not to mention privacy violations -- facing consumers when a
business loses their personal information or financial details. Why, then,
are consumers left to clean up the mess?

If Congress wants retailers and other businesses that handle customer data
to get serious about securing it, let's start by implementing a parking
garage model, akin to how you take a ticket when you drive into the garage
and then pay when you leave for the number of hours you parked. Lost your
ticket? Then you pay the maximum amount.

Do the same for data breaches. If a business can't detail how it was
breached or how many customer records, health records, or credit card
accounts were stolen, then just presume every record has been compromised.
Make it the responsibility of businesses and government agencies to prove
otherwise. Maybe then more of them will begin taking data breach prevention
seriously.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!