Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/dear-lawmakers-your-new-breach-notice-l-38153/

The days of companies being so afraid of the reputational impact of a
breach that they would look for any way possible to avoid disclosure are
gone. The pendulum has swung in the opposite direction. Now companies,
often in the name of being “completely transparent” with their customers,
want to disclose incidents as soon as possible (sometimes even before they
know whether a “breach” actually occurred). The immediate disclosure
“instinct” companies are developing is, in part, due to the number of
incidents being disclosed. There certainly seems to be safety in
numbers—there were significant breaches disclosed in 2014 that received
much less attention than they likely would have if they had been disclosed
prior to December 2013. The continuous news cycle of incident reports has
awakened the reactive cycle of new breach notification law proposals. The
new proposals, like their predecessors that were not enacted, are not
paired with any empirical data of why new or expanded laws are needed and
they often borrow heavily from existing laws that have obvious flaws.

Industry groups and even companies that faced highly-publicized security
incidents have joined the call for a national breach notification law. The
lure of a national law is having one standard instead of 47 state laws and
potentially overlapping federal laws and guidance for financial
institutions and health care entities. In practice, the differences across
state law rarely make a difference in how a company responds to an
incident. Unauthorized acquisition of a file containing names and Social
Security numbers by an attacker triggers a notification obligation in every
state law. But as states have expanded the definition of “personal
information”—with some now applying to maiden names, dates of birth, or
credentials to access online accounts—the differences have continued to
increase.

If a national law is enacted, below are practical issues companies face
when they attempt to comply with breach notification laws that should be
addressed.

- Owner/Licensor. Most state laws require the “owner” of the “personal
information” that was stolen to notify the affected individual, while a
“licensor” or “processor” of the data is required to notify the “owner”
which in turn is required to notify the individuals. The dichotomy of
“owners” versus “licensors” and “processors” does not neatly apply to how
data is collected and used. Payment cards provide a good example. Banks
that issue the cards often assert that they are the owner of the card data.
When a card is swiped at a retailer, many retailers only use the data from
the magnetic stripe to gain authorization for the transaction (and they do
not store that data). If payment card data is stolen while it is being
routed through the retailer’s system to its processor, it’s hard to view
the retailer as the “owner.” If not, then is the retailer supposed to
notify the issuing bank who would then notify the cardholder?
- Discovery. Existing laws require notification to occur within a certain
amount of time after the incident is discovered. But when discovery occurs
is not defined. If a laptop was stolen that was believed to have been
encrypted but the company learns two weeks later that an error occurred and
the laptop actually was not encrypted, is the date of the theft or the date
that the company discovered that the laptop was not encrypted the discovery
date?
- Notification Timing. If an incident requires a forensic investigation to
determine whether a breach occurred and then the nature and extent of the
breach, it is difficult for a company to complete such an investigation and
then carry-out the steps necessary to mail letters to thousands or millions
of individuals in less than 30 days. Setting a disclosure deadline any
shorter than 30 days would likely encourage over-reporting, which would
only further create “breach fatigue” and increase the likelihood that
affected individuals will ignore notifications in scenarios where they
really should take action.
- Method of Notification. Most scenarios require notification to occur by
ordinary mail. Providing notice by mail may add five to ten days to the
time it takes to provide notification. After a company builds a list of
names and addresses, has the addresses run through the National Change of
Address database, and provides a vendor with the letter versions and credit
monitoring codes, it sometimes takes the vendor an additional three to five
days before all of the letters are printed and mailed. Permitting
notification to occur by e-mail or even text message, perhaps in
conjunction with a notice posted on the company’s website, seems more
likely to provide notification to individuals in a timely manner.
- Content Requirements. Some states just require notification, some states
mandate that certain information be provided, and one state mandates that
certain information not be provided.
- Risk of Harm. Some states permit a company to determine that notification
is not required if their investigation leads them to reasonably believe
that the incident will not result in harm to the affected individuals. In
some states, companies can only rely on their determination that there is
not a reasonable risk of harm if they provide their analysis to that
state’s attorney general. Often, companies are unwilling to find out if the
state attorney general will agree with their analysis, so they err on the
side of caution and provide notification especially if only a small number
of individuals are affected. Doing so, however, can establish a precedent
that the company may not want if the same incident occurs in the future but
a larger population is affected. There are scenarios where unauthorized
access to personal information occurs, but it is clear that no harm will
result. The classic scenario is the inadvertent e-mail.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!