Shostack + Friends Blog Archive


Report: Approaches to Security Breach Notification

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has published a report entitled Approaches to Security Breach Notification[pdf].

From the Introduction:

This White Paper considers the need for an explicit obligation in Canadian privacy law to
notify affected individuals of a breach in an organization’s security that places those
individuals’ personal information at risk. The Paper begins its analysis with a review of
the existing Canadian legislative framework relating to security breach notification. It
then analyzes security breach legislation in the United States, where over half the states
have enacted a mandatory security breach disclosure requirement and where several
federal bills are currently pending. The Paper then considers justifications for, and
objections to, such legislation, before concluding with a series of recommendations for
enacting an effective statutory obligation of security breach notification in Canada.

I have only skimmed this report (for reasons I will get to momentarily). Nonetheless, I feel it is a must read for anyone interested in this topic. Although the authors are writing to a Canadian audience, their review of existing legislation and much of their analysis is of broader interest.

This report covers all the right stuff. Here’s an excerpt from the table of contents.

Relevant United States Law
Federal Legislation
State Legislation
Trigger for Notification
Responsibility for Determining need for Notification
Responsibility for Notifying
Notification Method
Notification to other agencies
Notification Timelines
Security Freezes
Private Rights of Action
Proposed U.S. Federal Legislation
U.S.  Caselaw
Relevant Australian Law
The Case for a Legal Duty to Notify
Recommendations for a Canadian Breach Notification Law
Appendix:  Security Breach Notification Laws (as of Dec.31, 2006)

We’ve blogged about every single item under “State Legislation”, and much of the rest, and I can assure you it would have been easier if this report had been written a year ago.

Just as an example, this is the only source I have come across that discusses Nevada’s unique definition of “encryption”, other than Cryptogram and myself. If these folks are fastidious enough to note something about crypto that only Schneier had written about prior to 2006, I’d say they’re worth paying attention to.

As I said, I did not fully read this document. The reasons are two. First, it is so logically arranged I can immediately know what is in it without doing an exhaustive search. Second, I can feel myself being “sucked in”, and I don’t have the time right now. Hopefully, that will soon change.