Shostack + Friends Blog Archive


Disclosure Laws & Regulations

Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators.

A brief digression: The new guidelines seem to make sense, but it’s difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options.

For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans — but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards.

Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let’s assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they’re willing to take and companies could experiment. Because that process doesn’t exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It’s difficult to know whether that security “level” is the best one for consumers.

I’ll suggest that the new rules don’t go far enough. As the Washington Post story (archived here) explains: “If the organization
determines that misuse is unlikely, it need not report the breach to its
” So CheapDiscountBank might have one criteria for determination, while BankSuperSecure has another. But consumers won’t be able to compare those. As the regulation says “It also should generally describe what the institution has done to protect the customers’ information from further unauthorized access.” Generally describe? How can I assess a general description? (A non expert consumer might have difficulty, but could turn to Consumer Reports, or other trusted sources, for advice.)

Also, federally mandated “know thy customer” regulations require banks to gather, authenticate, and store everything an ID thief needs to go about their business. SuperSecureBank might promise to throw away all the non-essential data, so that they can’t have a breach. SuperSecure could thus lower their costs and increase their security. It’s too bad that a mere $50 billion in annual losses doesn’t prompt a review of how we’ve organized the regulatory regime.