Shostack + Friends Blog Archive


"A duty of care" to notify?

Some people have objected to my repeated claims that a new normal is emerging. Those people don’t include Her Majesty’s Revenue and Customs, who, after losing a disk in the mail, said:

“There was a thorough search for the item, which went missing at the end of September, but it has not been found. We have a duty of care to let people know what has happened and so we are writing to tell them.”

HMRC loses personal details of thousands,” the Telegraph, who also had this to say on timeliness:

Mike Warburton, senior tax partner at accountants Grant Thornton, said: ” It does seem strange that it has taken a month for HMRC to start sending these letters out. That disc could be anywhere by now and large numbers of people may be at risk of fraud – if not through their pensions, then possibly through identity theft.”

All of this is happening without breach notice laws in the UK. They read the press in North America, we read the press there, and the new social norms get ahead of where the laws and regulations are. There’s a clear expectation of rapid disclosure.

If you’re covering up a breach, and it gets out, lawyers are going to have a field day with you. Try to avoid quibbling over what the meaning of “is” is, and own up to your mistakes, even if there’s no “controlling legal authority.”

Thanks to Ant for the story pointer!

[Update: in closely related news, Brian Krebs has “ acknowledges data loss” in the Washington Post. What we currently know about the Salesforce breach, doesn’t seem to reach the legal minimums for mandatory disclosure. Perhaps I should have been more clear in saying that “if you’re covering up a breach that the law requires be disclosed…” Then again, perhaps the lawyers will have a field day. Also, Rich Mogull has an article, “Learning From Tylenol” at DarkReading which beautifully compares the Tylenol response to the typical breach response.]

One comment on ""A duty of care" to notify?"

Comments are closed.