InfoSec & Forensics Law: data breach notification

Showing posts with label data breach notification. Show all posts

How to Keep InfoSec Investigation Secret

Confidentiality Labels as Compliance with Professional Ethics

In the investigation of a data security incident, proper use of confidentiality labels can help a lawyer or other professional show they are complying with ethical requirements for confidentiality.

Consider the American Bar Association Model Rules of Professional Conduct, “Client-Lawyer Relationship, Rule 1.6 Confidentiality of Information.” Rule 1.6(c) reads, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Official commentary to that Rule says: “When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. … Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”

Not Every Security Incident is a Breach

So let’s consider how this Rule 1.6(c) might apply to a data security investigation. A data security investigation can be very sensitive for an enterprise. The investigation can require much work and analysis to determine the legal impact of a security incident. The analysis may conclude that the enterprise has suffered a data security “breach” for which notice must be given and for which the enterprise is legally liable. On the other hand, the analysis may conclude there was no “breach” and therefore no requirement for notice and no liability.

Accordingly, it is in the best interests of the enterprise that the investigation be kept legally confidential. The enterprise does not want its legal adversaries (such as regulators or class action plaintiff lawyers) to know anything about the investigation. If the adversaries possess details from the investigation, they might use those details to penalize, hassle or assert liability against the enterprise.

An attorney working for the enterprise can help to promote the confidentiality of the investigation -- and all information and communications related to it -- by ensuring that the information and communications are properly labeled as “Confidential attorney-client communication,” “Confidential attorney work product created in preparation for dispute” or something like that.

In many cases law respects confidentiality associated with attorney communications and work. For this reason, non-lawyer professionals, like infosec experts, are motivated to involve a lawyer in their investigations.

Labels like those above can be powerful to prevent the unintended or unauthorized disclosure of sensitive information. The labels warn anyone who sees the information (police, vigilantes, regulators, contractors, employees, whistleblowers and so on) that it is confidential and protected by law. The labels can also help to prevent disclosure of the information through legal process such as a subpoena, a police raid or discovery in a civil lawsuit.

Thus, the labels would be a crucial part of a lawyer’s reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information belonging to the lawyer’s enterprise client. Furthermore, the labels could be evidence of a reasonable expectation by the lawyer that the information will be treated as confidential by law.

In other words, proper use of these labels can help an infosec lawyer comply with ethics Rule 1.6(c) quoted above.

-Benjamin Wright

Encrypted Personal Data On Stolen Laptop

Compromise of Password-Protected Computer Lost in Burglary

Anheuser-Busch notified thousands of employees that their personal data, and the data of their dependents, may theoretically be at risk of identity theft. The data were on a password-protected laptop, and the data were encrypted.

The case comes to light because one of the states involved, New Hampshire, requires notice be sent both to affected individuals and to the state attorney general, who publishes the notices on the web. New Hampshire's law does not require notice if data were encrypted. AB says the data were encrypted. It also says it has no information suggesting the burglars are attempting identity theft. So why did it give notice?

My guess is that the company was motivated more by the politics of the situation than a strict reading of the law.

The facts: A burglary in a Missouri building harvested several laptop computers from the offices of multiple companies. One of those laptops, belonging to AB, contained personal information (names, addresses, social security numbers and so on) about certain AB employees and their dependents.

Continue reading about encrypted laptop data

Does Lost Computer Tape Equate to Lost Data?

How to Define "Data Security Compromise"?

Computerworld reports that the State of Ohio spent $3 million to remedy the breach of data security resulting from loss of a backup computer storage tape. The computer tape was sitting temporarily in an intern's automobile. The tape held sensitive (unencrypted) data such as social security numbers on thousands of state employees and taxpayers. Most of the $3 million went to giving the affected individuals free credit protection service . . .

Waste of Taxpayer Money

The expenditure of $3 million to deal with this security incident is nuts. The compromise of the tape's physical security does not necessarily mean that the data on the tape had been compromised or even threatened with compromise. What's the likelihood that a thief who steals something from a car is going to possess the equipment, knowledge, talent, patience and courage necessary to read the tape, figure out how to abuse the data on it, and then undertake the risky business of actually committing identity theft? My sense is that the likelihood is very low.

The skills needed to commit successful identity theft are very different from the skills needed to make an opportunistic theft of the contents of an automobile.

Some data breaches are serious, and some are not. This one doesn't sound serious. The $3 million went down a rat hole.

Lost Backup Tape: What's the Big Problem?

Question: Are readers aware of any documented case where a lost backup tape led to identity theft?

--Benjamin Wright

Mr. Wright, a practicing attorney, teaches the Law of Data Security and Investigations at the SANS Institute.

[Postscript: My friend Mich Kabay has been writing about customs agents inspecting laptops as their owners cross international borders. Someone asked Mich whether an enterprise has suffered a data breach requiring notice if it gives a decryption key to customs so it can inspect the contents of a laptop containing personal information. My response: Some people unwisely set a low threshold for considering data to be compromised or for requiring the delivery of a breach notice. It would be ridiculous to say that cooperation with law enforcement (i.e., duly-authorized customs officials) constitutes a data security breach!]

Update: See my analysis of a breach notification where data on stolen laptop are encrypted.

Definition of Data Security Breach

When Has Privacy of Credit Card or Social Security Numbers been Compromised?

Security Incident Response and Information Protection Law

Many states now have data breach notification laws modeled on or inspired by California's SB 1386. Usually, under 1386, an enterprise holding private information (name plus social security number, driver’s license number or financial account number + password) in electronic form about a California resident must promptly notify the resident if the enterprise suspects a breach in security.

In all these data notification laws, a key issue is the definition of what constitutes a breach of data security. Just because a hacker accesses data related to a credit card account does not mean that the account has in fact been compromised (or, in the alternative, that the data has been compromised in any meaningful way). The credit card system features many layers of security beyond simply the purported confidentiality of a person's name + credit card number + card security code.

Thus a corporation holding data might detect that a hacker accessed card data, but still conclude (based on other controls in the industry) that none of the card data in question had in fact been "compromised". The other controls I speak of can include monitoring of card activity, telephoning cardholders to confirm transactions and much more.

Confusing and Unnecessary Notices

To send unnecessary breach
notice is unethical.

If a data owner is too quick to conclude that a minor slip in security constitutes a "data security breach", then the owner will senselessly waste money and confuse constituents by sending them unnecessary notices and providing them unwarranted credit protection services. Further, excessive conclusions that a breach has occurred can lead to credit cards being replaced so often that cardholders don't know which of the cards in their wallet is valid and which is not.

Crying WOLF

When the public hears too many announcements that data has been "BREACHED," it becomes like the villagers who grew insensitive to the boy's cries of "WOLF". For that reason, I argue enterprises are legally and ethically justified to expect that a reasonably high threshold be crossed before they send out notices of a "data security breach."

2013 Reform

I published most of the foregoing in 2007 and 2008. Fortunately, in 2013 a leading authority has reviewed this issue carefully and instituted reform. The U.S. Department of Health and Human Services now says that a breach notice is required only after a sophisticated risk assessment has determined a notice is justified. See my analysis of HHS's new regulation on data security breach notice.

--Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Update July 2008: Anton Chuvakin makes an interesting observation. If dataholders maintain good system logs, then in the event of a security breach they can examine the logs carefull to determine with precision which particular data files (if any) were compromised. That would allow them to notify only the people affected, rather then everyone on whom they hold data.

For more on this topic, see my other article on data security breach.

Update Summer 2008: See my analysis of a breach notification where data on stolen laptop are encrypted, and my examination of the definition of "private" data.

(Reminder: Nothing I publish is legal advice to anyone and not a substitute for advice from a lawyer.)

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law