Shostack + Friends Blog Archive


Low-quality DATA

The other day, I wrote about the Data Accountability and Trust Act (DATA), which has been received well by consumer and privacy advocacy organizations. For example,

“We’re pleased with the compromise ‘trigger’ language relating to when a business must notify individuals of a breach of their personal information,” said several privacy advocacy groups in a joint statement issued the day before the vote.

Having finally read the full text of the bill, I’m not sure I share this pleasure.

Under this bill, as written:
If I lost million plaintext records with:

  • first initial
  • middle name
  • last name
  • SSN
  • bank account number
  • credit card number
  • address
  • phone number
  • Date of Birth
  • Mother’s maiden name
  • Shoe size

I would not have to notify. This is because “personal information” is defined as:

an individual’s first and last name in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number or other State identification number.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

Moreover, the bill also defines ‘breach of security’ in a manner tending (unacceptably, in my view) to limit disclosure:

The term `breach of security’ means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates.

Observers of breach notification legislation often refer to California’s SB1386 as a kind of benchmark. Now almost three years old, this law is starting to show its age, but even it does better than this, requiring that personal information “was, or is reasonably believed to have been, acquired by an unauthorized person”. (italics mine).
Yet, even when I know (not just ‘reasonably believe’) I have given away your first and last name, SSN, account info, DOB, and shoe size I may still not have to notify you. This is because (by my reading, IANAL, do not taunt happy fun ball), there needs to be a “reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates.” to trigger notification.
What does ‘significant’ mean? According to ID Analytics, the probability of fraud given that you were hit with a loss of PII is at most 1 in 1000. Is that significant?
The National Crime Victimization Survey reports that rich folk are more likely to get hit by ID theft. So, if I lose a tape with PII on, say, 1,000,000 children in households receiving welfare (an unlikely group for ID theft targetting), do I get to not notify because there is no ‘significant’ risk of ID theft? Think about how much you want to have riding on the meaning of that term.
That summarizes some of my concerns with this legislation. The US ACM also has acomment about this bill. I highly recommend that persons interested in informed analysis also read what the ACM has to say on this — their input to the House committee was written by Gene Spafford, and makes several good points I haven’t touched upon here.