Shostack + Friends Blog Archive

 

American Red Cross, unknown number of blood donors in Illinois and Missouri, insider thief+dismal process

Normally this would go in the breach roundup, but it is noteworthy in that it is the only case of substitute notice I can recall seeing.
All state breach laws provide for notifications to be made via mail or telephone, and allow so-called “substitute notice” via a press release, prominent web page placement, and the like under certain circumstances.


The circumstances here are that:

Red Cross cannot determine whose records that individual may have accessed. For that reason, Red Cross is providing this [web page] notice to all blood donors who have donated in the Missouri-Illinois Blood Services Region as a precaution.

Now, Missouri has no breach law that I am aware of. Regarding form of notice, Illinois law says this:

(3) substitute notice, if the data collector
demonstrates that the cost of providing notice would exceed
$250,000 or that the affected class of subject persons to
be notified exceeds 500,000, or the data collector does not
have sufficient contact information. Substitute notice
shall consist of all of the following: (i) email notice if
the data collector has an email address for the subject
persons; (ii) conspicuous posting of the notice on the data
collector’s web site page if the data collector maintains
one; and (iii) notification to major statewide media.

This is terrible law. Even if a firm has perfect records, and somenhow can notify everyone for a nickel, all they need to do is expose more than a half-million folks and they are relieved of nearly all responsibility. Here, according to Computer World, a million donors were exposed. Talk about perverse incentives.
In this case, the American Red Cross either: a) has lousy record-keeping, b) is unwilling to incur an expense that nearly all others suitably situated have borne, or c) is using the size of this breach as an excuse for inaction.
Since we’re talking blood here, I don’t think a) is likely, so unless I am missing something (and I hope I am), it must be a combination of b) and c).
By the way, the SSNs were in a database made available to “donor recruiters”, according to Computer World:

The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters.
[…]
[The agency] said it’s taking additional security steps to ensure that such an incident doesn’t happen again. All staff members are being reminded, for instance, that donors don’t have to put their Social Security numbers into their Red Cross donor records.

Uh, I don’t think donors put them in in the first place. The Red Cross did. If they aren’t needed from today’s donors, they aren’t needed from ANY donors. I’m no DBA, but it looks like about two lines of SQL make this go away permanently.

2 comments on "American Red Cross, unknown number of blood donors in Illinois and Missouri, insider thief+dismal process"

Comments are closed.