Definition of Data Security Breach

When Has Privacy of Credit Card or Social Security Numbers been Compromised?


Security Incident Response and Information Protection Law


Many states now have data breach notification laws modeled on or inspired by California's SB 1386.  Usually, under 1386, an enterprise holding private information (name plus social security number, driver’s license number or financial account number + password) in electronic form about a California resident must promptly notify the resident if the enterprise suspects a breach in security.

In all these data notification laws, a key issue is the definition of what constitutes a breach of data security. Just because a hacker accesses data related to a credit card account does not mean that the account has in fact been compromised (or, in the alternative, that the data has been compromised in any meaningful way). The credit card system features many layers of security beyond simply the purported confidentiality of a person's name + credit card number + card security code.

Thus a corporation holding data might detect that a hacker accessed card data, but still conclude (based on other controls in the industry) that none of the card data in question had in fact been "compromised". The other controls I speak of can include monitoring of card activity, telephoning cardholders to confirm transactions and much more.

Confusing and Unnecessary Notices

incident investigation
To send unnecessary breach
notice is unethical.
If a data owner is too quick to conclude that a minor slip in security constitutes a "data security breach", then the owner will senselessly waste money and confuse constituents by sending them unnecessary notices and providing them unwarranted credit protection services. Further, excessive conclusions that a breach has occurred can lead to credit cards being replaced so often that cardholders don't know which of the cards in their wallet is valid and which is not.

Crying WOLF

When the public hears too many announcements that data has been "BREACHED," it becomes like the villagers who grew insensitive to the boy's cries of "WOLF". For that reason, I argue enterprises are legally and ethically justified to expect that a reasonably high threshold be crossed before they send out notices of a "data security breach."

2013 Reform

I published most of the foregoing in 2007 and 2008.  Fortunately, in 2013 a leading authority has reviewed this issue carefully and instituted reform.  The U.S. Department of Health and Human Services now says that a breach notice is required only after a sophisticated risk assessment has determined a notice is justified.  See my analysis of HHS's new regulation on data security breach notice.

--

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Update July 2008: Anton Chuvakin makes an interesting observation. If dataholders maintain good system logs, then in the event of a security breach they can examine the logs carefull to determine with precision which particular data files (if any) were compromised. That would allow them to notify only the people affected, rather then everyone on whom they hold data.

For more on this topic, see my other article on data security breach.

Update Summer 2008: See my analysis of a breach notification where data on stolen laptop are encrypted, and my examination of the definition of "private" data.

(Reminder: Nothing I publish is legal advice to anyone and not a substitute for advice from a lawyer.)

2 comments:

  1. I find this point of view ridiculous. If a stranger obtains copies of the keys to your home, at what point do you want to be notified of that fact? Immediately, so you can change your locks to keep them out? At some later time, once it has been determined that they are actually trying to gain entry to the house? After they have stolen your possessions, but when other parties are trying to have them replaced? Or never, because you trust the party who allowed your keys to be duplicated to suddenly start protecting your interests? At what point in the process do you feel the security of your home has been compromised?

    ReplyDelete
  2. Thank you for the thoughtful comment above. You express a popoular opinion. My view: My house keys are nothing like my credit card info and my social security number. I never give my house keys to strangers. My house keys are never processed in information systems. In contrast, I give my credit card info to strangers many times every day. And although I give strangers my social security number less frequently, it still happens often. My credit card and social security info are stored in an infinite number of places. As an informed consumer, I am on notice that my data are exposed all the time. I know I should be monitoring my accounts carefully all the time. It does me no good to receive a general notice from a corporation saying that my account information was one of millions of accounts the IT security of which has been compormised. That notice tells me nothing that is actionable. In fact, I am a fool if I wait until I receive one of these notices before I increase my vigilance. My vigilance should be at red alert all the time. (Footnote: I do wish to recieve notice if a corporation learned that a criminal had specifically targeted me for abuse. An example of specific targeting is where a couple of Start Department employees breached the specific passport records of Hillary, Obama and McCain. Another example: I do wish to receive notice if a corporation learns that an ID thief has opened a new financial account in my name. These two example notices would provide me actionable information.) --Ben

    ReplyDelete