Category: breach laws

Data breach fines will prolong the rot

The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.)

I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the rot.

In particular, fines encourage firms to hide their problems. Let’s say you believe the widely quoted cost of a breach numbers of $197 or $202 per record. At $202 per, breach response and notification would run $9,292,000 (2.6 times greater than the $3,522,000 fine.)

At some point, one or more executives makes a call between the disclosure and the risk of penalties for ignoring the law. If a fine were independent of the disclosure, then the fine would not influence disclosure. But fines are not independent. They are highly dependent on businesses first deciding to disclose. The fine may well get worse if you’ve concealed the error. But fines are highly uncertain. First, the size of the fine isn’t known, and second, if a fine will be imposed is unknown. So unless breach fines are regularly huge, sweeping things under the rug will make more sense than inviting them.

In fact, the rational choice for a firm is to wait until total non-notification penalties are (1/p)*c where p is the expected probability of a fine and c is the expected cost of notification. Given estimates of 1/2 to 9/10 of breaches going unreported, that would entail fines from $400 to $2,000 per record. For the breach that started me thinking about this, that’s $18-92 million. Let’s call it 50 million bucks.

For those wanting to deter breaches, and those wanting to punish the firms which lose control of data, that may be attractive. But for context, for a 2005 explosion which killed 15 people and injured 170 more, BP was fined $50 million, and a single fatality at a wheat handling facility lead to a fine of 1.61 million.

Is this breach of the same magnitude of a problem that kills 15? I have trouble seeing it as being of that magnitude. Maybe if we had a better understanding of the link between different breaches and their impact on real people, we could better assess. Maybe 1500 of those people whose data was lost will spend the next five years unable to live their lives because of the lingeringly corrupt databases that result. Maybe the fraud and corruption are a result of this breach. Unfortunately, despite the growing number of states that call for a risk assessment before notification, such risk assessments are, at best, a set of guesses strung together by well-meaning professionals. More likely, they’re CYA and justification for not notifying. When I say “more likely,” that’s my analysis of motivations and economics. It’s better grounded than any post-breach risk assessment I’ve seen.

I am deeply sympathetic to the desire to punish those who put others at risk, both to deter and for the punitive value.

But fines won’t reliably do that. They will prolong the rot.

Breach Laws & Norms in the UK & Ireland

Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis:

The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.

The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach. I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past.

Meanwhile, in the UK, the “Information Commissioner’s Office will not compel companies to report data losses:”

“Under the Data Protection Act organisations have an obligation to ensure that personal information is held securely. We encourage organisations to advise us as soon as they are aware of a data breach which puts their customers at risk,” the ICO said.

“Changes to the law are ultimately a matter for the government. Should legislation be proposed to compel UK organisations to notify people when a data breach occurs, it must be properly considered before it is introduced in the UK. ”

Krebs on Cyber vs Physical Crooks

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

Go read “Cyber Crooks Leave Traditional Bank Robbers in the Dust” by Brian Krebs. Then ask why we sweep these crimes under the rug.

2 Proposed Breach Laws move forward

See George Hulme, “National Data Breach Law Steps Closer To Reality ” and Dennis Fisher “”

Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.”

Emphasis added where my jaw dropped so fast that the letters are off-kilter.

[Update: Yes, I understand it’s likely an attempt to cover cryptosystems that we think work and are then broken, or some similar situation. However, if your data is encrypted with FEAL, and it turns out FEAL is really weak, should you really get an exception? You ought to be able to say you tried hard, but the data is still at risk. That may impact those who you told “your privacy is important to us.”]

Changing Expectations around Breach Notice

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:”

According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses a “significant risk of financial, reputational or other harm to [an] individual.”

I wasn’t the only one deeply concerned by that standard. Apparently Henry Waxman and Charles Rangel have written the Secretary of Health and Human Services to explain that “This is not consistent with the Congressional intent,” and

“ARRA’s statutory language does not imply a harm standard,” the lawmakers wrote. “Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given breaching entities, particularly with regard to determining something as substantive as harm from the releases of sensitive and personal health information.”

Their letter is here. See also “Lawmakers Urge Lower Bar for Health IT Data Breach Notification.”

Five years ago, no one would have said such things. It’s nice to see how quickly the field is maturing.

Proskauer Rose Crows "Rows of Fallen Foes!"

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as much as a full trial, but it’s not socially useful to transfer money from shareholders to lawyers after a breach). Secondly, there may be some real harms, but those are not the subject of most of these suits.

As we see more and more breach notices, and as the number of social security numbers exposed comes to exceed the number issued, showing that a particular crime can be traced to a particular breach is going to get harder. The data is traded freely in markets and aggressively stirred together to make it harder to track origins.

Putting together a real case that this breach lead to that problem and thus that company is liable is going to be tricky. (And then there’s the question of what actions must a company take, but that’s another post.)

So having learned to mow down all these lawsuits (and Prokauser has it down to a science), I’m going to propose that there’s something else they should be advising their clients: notify early and often. The more notices that are out there, the harder it becomes to pin liability for any incident on any one company. So embrace the brave new world in which disclosure is required, and don’t worry about it so much. And while you’re at it, tell us what happened so we can learn from it and start making new and innovative mistakes.

New Breach Laws

Missouri adds a law with a “risk of harm trigger” aka the full-employment provision for lawyers and consultants. Texas adds health data to their notification list.

Most importantly, North Carolina requires notice to their attorney general for breaches smaller than 1,000 people. I think Proskauer here is being a little inaccurate when they characterize this as “being more forthcoming,” rather, it is “being forthcoming more often.”

Gisted from Brendon Tavelli, “Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes” at the Proskauer Rose privacy law blog.