Shostack + Friends Blog Archive

 

State disclosure laws

I’ve written up a comparison of what I believe to be all existing US state disclosure laws with regard to three loopholes that have been discussed by, among others, Rob Lemos and Bruce Schneier recently.
I’m experimenting with Blosxom, so I posted this over here.
The executive summary is all the state laws could use improvement, but if you care most about these three loopholes, Maine looks pretty good. If you expand your evaluation criteria to include central reporting or tighter protection of personal information, New York is the top of the heap.

3 comments on "State disclosure laws"

  • Rob Lemos says:

    Hey Chris:
    I would point out that the metric you take for the “first initial” loophole is not the same as the “no name” loop hole mentioned in the SecurityFocus article.
    For example, both Arkansas and California have a “no name” loophole: If the person is identified by an identifier that is not their name, then the company does not have to disclose. In fact, in a rudimentary way, this could be considered encryption.
    However, many times attackers don’t need identifiers to make use of the information (in the recent case of debit card numbers and PINs, for example, often no name is necessary to use the information). While the information may not be able to be used for identity fraud per se, it could be used to run up charges and harm a person’s credit score.
    Any way to add another attribute to your matrix?
    -R

  • Chris Walsh says:

    Rob:
    The “first initial” loophole is a derived class of the “no name loophole”.
    I will check into this, but off the top of my head, I think that only NY (and perhaps one other state) handle the “no name” loophole properly.
    From the NY law:
    “(A) “PERSONAL INFORMATION” SHALL MEAN ANY INFORMATION CONCERNING A NATURAL PERSON WHICH, BECAUSE OF NAME, NUMBER, PERSONAL MARK, OR OTHER IDENTIFIER, CAN BE USED TO IDENTIFY SUCH NATURAL PERSON;”
    Basically, if it is a unique identifier of a person, it is personal information.
    The only way I can think of to improve this would be to say that if individuals can be “reidentified” based solely on the corpus of data revealed in a breach in conjunction with publicly-available data, then notification is mandatory.
    I strongly suspect this would meet with resistance, but consider the amount of money the Census Bureau spends to prevent reidentification while preserving the statistical properties of the data they collect. One might therefore suggest that the ChoicePoints of the world be held to a similar standard to prevent a similar harm.

  • Chris Walsh says:

    Just checked. I was right — only NY does it properly. Maine requires a last name, and the rest require a last name and either a first initial or first name.

Comments are closed.