By their fruits, ye shall know them
We’ve made frequent calls here at EC for improved breach breach reporting. In particular, we’ve said that governments (be they state, provincial, national, whatever) should provide standardized reporting forms, should collect a basic set of facts in each report, should require precision in reporting rather than accepting weasel-words, and should mandate centralized reporting, so that legislators and the public can see (without commissioning a study) what the facts are. Additionally, we’ve mentioned research discussing notification fatigue, and the artful construction of notification letters seemingly designed to discourage both comprehension and action. Finally, we’ve praised efforts to increase transparency — in particular New Hampshire’s posting of notification letters on a government-administered web site.
In recent days, I was elated to learn of legislative efforts in California and Indiana that together substantially advanced each of these points. In California, Senate Bill 364 was recently voted out of the state senate. This bill requires that breach notification letters be written in plain language, and that they contain:
- The toll-free telephone numbers and addresses of the major
credit reporting agencies.
- The name and contact information of the reporting person or
business subject to this section.
- A list of the types of information, such as name or social
security number, that were or may have been the subject of a breach.
- The date of a breach, if known, and the date of discovery of a
breach, if known.
- The date of the notification, and whether the notification was
- A general description of the breach incident.
- The estimated number of persons affected by the breach.
It also requires that breaches be reported to California’s Office of Information
Security and Privacy Protection (where they would be subject to Freedom of Information requests).
In Indiana, House Bill 1197 would require the attorney general to publish notice of a breach of the security of a system on the attorney general’s Internet web site, and closes a loophole in Indiana’s existing breach law, which currently allows password protection to be sufficient to exempt and incident from disclosure. The new law would only exempt completely encrypted portable devices, with unexposed keys.
Each of these bills is a great thing, and each shows that (despite what cynics like I might say), smart people who are motivated can make a big difference. In California, the smart, motivated people are at the Samuelson Law, Technology & Public Policy Clinic, whose recent research supplied part of the bill’s foundation. In Indiana, infosec researcher Chris Soghoian was instrumental in educating his own local legislator, and making several suggestions which found their way into Indiana’s bill.
But the story gets more interesting. As Chris documents, the centralized notification portion of the Indiana bill is vigorously opposed by telecom giants AT&T and Verizon, as well as by Microsoft. The last, writes Soghoian, even argued that availability of actual breach letters would make phishers’ work easier. Funny that the letters already posted by New Hampshire and others haven’t done this. I guess phishers are too busy to write a FOIA letter, too. Note to Microsoft: this information is not secret from bad guys, it is merely hidden from the vast majority of good guys. Thanks for arguing that it should stay that way. Maybe Microsoft’s lobbyists should learn about threat modeling.
Lest it be thought that tech industry opposition to democratic transparency is a purely domestic thing, the Information Technology Association of Canada testified in opposition to a Canadian breach law, as reported by Canadian privacy law expert Michael Geist.
Meanwhile, in California, a portion of the bill requiring breach notices to be placed on the web, thereby allowing the interested public to avoid the hassles of writing FOIA letters, has been stricken from the bill, this time for cost reasons.
I’m happy that California takes this issue seriously, and turned to some folks who obviously know their stuff. I guess they are strapped for cash. As for Indiana, and for Canada, it’s disheartening to see tech firms argue that technology should not be used to bring relevant information closer to those who want it.