Category: Legal

State disclosure laws

I’ve written up a comparison of what I believe to be all existing US state disclosure laws with regard to three loopholes that have been discussed by, among others, Rob Lemos and Bruce Schneier recently.
I’m experimenting with Blosxom, so I posted this over here.
The executive summary is all the state laws could use improvement, but if you care most about these three loopholes, Maine looks pretty good. If you expand your evaluation criteria to include central reporting or tighter protection of personal information, New York is the top of the heap.

Palestinian TV and Regulatory Capture

There’s an article about the chaos of Palestinian TV on Wired News, “Live From the West Bank,” which starts:

Helga Tawil Souri reclines on the couch at a friend’s house in the Palestinian West Bank, getting sucked into an Egyptian movie about a woman in an insane asylum. Right before the climactic face-off, though, the screen goes black, and a different movie pops on. A visitor to the area, Souri is startled and a bit peeved. Her host, a dentist named Abu Mohammed, grins knowingly. He picks up his cell phone and dials the manager of the local television station. After gossiping and speculating about the weather for a few minutes, Mohammed gets to the point: “Look, if it’s not too much trouble, can you put the movie back on?” Five minutes later, televisions across the area flicker, the image on the screen shifts, and the original film’s conclusion airs.

The article discusses how a lack of regulation creates a confused, amateurish, open space for people to experiment with TV, and then concludes:

Fellow journalist Walid Batrawi shares Kuttab’s goals and has helped draft reforms for the Palestinian Authority calling for minimum levels of investment, education, and staffing for each station. The restrictions were supposed to go into effect in 2000 and would have put many small operations out of business.

Indeed, putting small, nimble, responsive organizations out of business is often either an explicit goal or unavoidable side effect of regulation. I’ve been watching the acquisitions of both Sourcefire and NCipher fall victim to regulatory inquiries which move too slowly for the acquirer to wait around. As a startup guy, this worries the heck out of me. You can never have too many opportunities for exit (right, Siteadvisor?). Sarbanes-Oxley has already cut back on the ability of startups to go public, raising that bar. National and international regulators are now exercising another bar. Every opportunity for exit is a chance to value the business, reassess the market, and weigh anticipated growth versus a chance to make value gains liquid. But I digress.

I’m not a big believer in using violence, or the threat of violence, to control a market. I think people should be allowed free speech, even in the case of the Palestinian Authority, which has long funneled US and EU aid into the creation and broadcast of anti-Semetic propaganda on official TV stations. Let a thousand flowers bloom, even if some of them are ugly.

Just don’t use regulation to prevent them from growing.

Low-quality DATA

The other day, I wrote about the Data Accountability and Trust Act (DATA), which has been received well by consumer and privacy advocacy organizations. For example,

“We’re pleased with the compromise ‘trigger’ language relating to when a business must notify individuals of a breach of their personal information,” said several privacy advocacy groups in a joint statement issued the day before the vote.

Having finally read the full text of the bill, I’m not sure I share this pleasure.

Continue reading

National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16.
I haven’t read the full text of the bill (and it has been roundly criticized by folks whose opinions I trust) but I was happy to see this in the press release from the commitee:

An amendment offered by Rep. Barbara Lee (CA) would require the Federal Trade Commission to coordinate with other government entities to create a publicly available list of data security breaches that have triggered a notice to consumers within a twelve month period.

Another piece of legislation, which has been received rather better by privacy advocates and consumer rights groups, is the Data Accountability and Trust Act. Guess what? It also requires central reporting of breaches:

Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data–
[…]
(2) notify the [Federal Trade] Commission;
[…]
The Commission shall place, in a clear and conspicuous location on its Internet website, a notice of any breach of security that is reported to the Commission under subsection (a)(2).

I am happy to see these elements make their way into national legislation.

Laptop theft

The Register has been on Ernst & Young’s case. The latest Exclusive! talks about a laptop stolen in early January, and how we now know it had info on BP employees, along with those from IBM and others.
The article also observes that:

It’s difficult to obtain an exact figure on how many people have been affected by Ernst & Young’s security lapse given that it won’t say anything on the subject.

The number, as we reported 10 days ago, is 84,000.
The figure was reported to the New York State Consumer Protection Board by E&Y on February 10, 2006.
The laptop contained, according to E&Y’s report to New York officials:

files relating to a number of Ernst & Young corporate clients, and that these files contained various personal information relating to employees of those clients. [Ernst & Young] also determined that the laptop contained a separate file with the names and Social Security numbers of individuals for whom Ernst & Young provided services.

That letter goes on to explain that E&Y is working with their corporate clients to notify the relevant individuals impacted by the disclosure of the corporate files, and is itself notifying the individuals whose information was in the other file.
This may explain why, in an earlier report to NY’s Consumer Protection Board, AG’s office, and the Office of Cyber Security and Critical Infrastructure Coordination, Goldman Sachs described a loss of info by E&Y which exposed info on about 9000 Goldman employees and dependents. It seems that this loss was due to the same laptop theft.
IANAL, so I can’t say whether the legal responsibility to notify those potentially affected lies with E&Y’s corporate clients or with E&Y. Perhaps the shortage of information on this has something to do with that aspect of this particular incident.

Breach notification escape mechanisms

In a somewhat incendiary piece published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed.

According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company suffering a breach can bypass current notification laws”. First is if notification would impede an investigation by law enforcement, then:

If the stolen data includes identifiable information–such as debit card account numbers and PINs–but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning.

Not quite. At least one state has a law that closes the quoted loopholes.

New York’s law says the following:

1                                ARTICLE 39-F
2       NOTIFICATION OF UNAUTHORIZED ACQUISITION OF PRIVATE INFORMATION
3    SECTION  899-AA.  NOTIFICATION; PERSON WITHOUT VALID AUTHORIZATION HAS
4  ACQUIRED PRIVATE INFORMATION.
5    S  899-AA.  NOTIFICATION;  PERSON  WITHOUT  VALID  AUTHORIZATION   HAS
6  ACQUIRED  PRIVATE INFORMATION. 1. AS USED IN THIS SECTION, THE FOLLOWING
7  TERMS SHALL HAVE THE FOLLOWING MEANINGS:
8    (A) "PERSONAL INFORMATION" SHALL MEAN  ANY  INFORMATION  CONCERNING  A
9  NATURAL  PERSON  WHICH, BECAUSE OF NAME, NUMBER, PERSONAL MARK, OR OTHER
10  IDENTIFIER, CAN BE USED TO IDENTIFY SUCH NATURAL PERSON;
11    (B) "PRIVATE INFORMATION" SHALL MEAN PERSONAL  INFORMATION  CONSISTING
12  OF  ANY INFORMATION IN COMBINATION WITH ANY ONE OR MORE OF THE FOLLOWING
13  DATA ELEMENTS, WHEN EITHER THE PERSONAL INFORMATION OR THE DATA  ELEMENT
14  IS NOT ENCRYPTED, OR ENCRYPTED WITH AN ENCRYPTION KEY THAT HAS ALSO BEEN
15  ACQUIRED:
16    (1) SOCIAL SECURITY NUMBER;
17    (2)  DRIVER`S LICENSE NUMBER OR NON-DRIVER IDENTIFICATION CARD NUMBER;
18  OR
19    (3) ACCOUNT NUMBER, CREDIT OR DEBIT CARD NUMBER, IN  COMBINATION  WITH
20  ANY  REQUIRED  SECURITY CODE, ACCESS CODE, OR PASSWORD THAT WOULD PERMIT
21  ACCESS TO AN INDIVIDUAL`S FINANCIAL ACCOUNT;

As can be readily seen, the encryption loophole is decidedly not present. Moreover, disclosure of a person’s name and other private information is not necessary to trigger notification (although it is sufficient).

Inasmuch as this latest breach undoubtedly involves at least one New York State resident, it would appear to this layman that attempts to justify a failure to notify on either the “it was encrypted” or the “but they didn’t steal any names” loopholes are perilous at best.

If state breach legislation is not pre-empted at a national level, others would do well to study the example set by the Empire State.
(Updated to add specific mention of law-enforcement exception)

Government Issued Data and Privacy Law

drivers-license.jpgI’d like to say more about the issue of privacy law, and clarify a bit of jargon I often use. (Alex Hutton pointed out it was jargon in a comment on “There Outta be a Law“.)

As background, some people have objected to privacy laws as being at odds with the First Amendment guarantees of free speech. How can you pass a law that forbids people from talking about other people? One might respond, how can you pass a law that forbids libel suits against commercial entities that encourage reliance on their speech, while disclaiming liability for it? That response, however, seems to fall on deaf ears, and so I’d like to suggest another basis for privacy law which would be in harmony with free speech.

Absent government action, building an industrialized gossip business is hard. English common law long recognized the right to use any name you wanted, so long as the purpose wasn’t fraud. How to distinguish between all the Tim Mays in the database? Well, the government issues social security numbers. They tell people that your number is unique. They used to tell people it wasn’t for identification purposes.

Continue reading

There Outta be a Law

schoolhouse-rock.jpgA reader wrote in to ask why I’m not more forcefully advocating new laws around information security. After all, we report on hundreds of failures with deeply unfortunate consequences for people. Those people have little say in how their data is stored, so shouldn’t we have a law to protect them?

We probably should, and I have advocated for a law that puts strict privacy requirements around data issued by or validated by the government. I think that’s a more reasonable tradeoff between free speech and privacy than a more general privacy law.

At the same time, I’m hesitant to create a general purpose data security law, because I don’t know what it should say. The very broad and general provisions of Sarbanes Oxley are quite challenging to interpret. [Spelling corrected, thanks Ian!] A more specific law creates lock-in for solutions that will be sub-optimal because we don’t yet know what the best things to do are. (I had a conversation about this with S.L.–his company needs to get a lot of products certified under the “Common Criteria,” but they don’t think they get a lot of value from the process.) Changing the CC process is hard and slow. Since we don’t yet have a good picture of how breaches occur, its too early to be writing laws that require more than disclosure, and a probably a right to recover damages for privacy violations, even if they’re not fiscally damaging.

[Update: Don’t miss Alex Hutton’s great comment on the effects of regulation on the regulated.]

New Jersey's breach law

New Jersey’s breach notification law went into effect in mid-December 2005. Like New York’s, it requires that a state entity be notified, in addition to the persons whose info was exposed:

c. (1) Any business or public entity required under this section to disclose a breach of security of a customer’s personal information shall, in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.

NJ’s Breach Notice Law
Ah. Unlike New York’s law, New Jersey’s makes that entity the State Police. NJ doesn’t consider information “for use by any law enforcement agency in this State or any other state or federal law enforcement agency” to be a government record, so perhaps the required notices needn’t be released (IANAL).

Direct Marketing Association opposes consumer right to see, correct information

Access and correction rights are something the DMA wants removed from the bill, Cerasale said. For one thing, it would be expensive for list brokers and compilers to set up procedures enabling consumers to access and correct data. For another, the same hackers who caused the breach could also change the data.

Multichannelmerchant.com
You can’t correct the info we have on you because hackers may have made it incorrect. Gutsy argument to make, DMA — “Costs from hacking are better left on you, the millions of little guys, rather than us, even though it is vastly cheaper for us to make a correction than it is for you to recover from an unauthorized change’s consequences”.

Navigation