Breach notification escape mechanisms
In a somewhat incendiary piece [link to http://www.securityfocus.com/news/11381 no longer works] published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed.
According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company suffering a breach can bypass current notification laws”. First is if notification would impede an investigation by law enforcement, then:
If the stolen data includes identifiable information–such as debit card account numbers and PINs–but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning.
Not quite. At least one state has a law that closes the quoted loopholes.
New York’s law says the following:
1 ARTICLE 39-F 2 NOTIFICATION OF UNAUTHORIZED ACQUISITION OF PRIVATE INFORMATION 3 SECTION 899-AA. NOTIFICATION; PERSON WITHOUT VALID AUTHORIZATION HAS 4 ACQUIRED PRIVATE INFORMATION. 5 S 899-AA. NOTIFICATION; PERSON WITHOUT VALID AUTHORIZATION HAS 6 ACQUIRED PRIVATE INFORMATION. 1. AS USED IN THIS SECTION, THE FOLLOWING 7 TERMS SHALL HAVE THE FOLLOWING MEANINGS: 8 (A) "PERSONAL INFORMATION" SHALL MEAN ANY INFORMATION CONCERNING A 9 NATURAL PERSON WHICH, BECAUSE OF NAME, NUMBER, PERSONAL MARK, OR OTHER 10 IDENTIFIER, CAN BE USED TO IDENTIFY SUCH NATURAL PERSON; 11 (B) "PRIVATE INFORMATION" SHALL MEAN PERSONAL INFORMATION CONSISTING 12 OF ANY INFORMATION IN COMBINATION WITH ANY ONE OR MORE OF THE FOLLOWING 13 DATA ELEMENTS, WHEN EITHER THE PERSONAL INFORMATION OR THE DATA ELEMENT 14 IS NOT ENCRYPTED, OR ENCRYPTED WITH AN ENCRYPTION KEY THAT HAS ALSO BEEN 15 ACQUIRED: 16 (1) SOCIAL SECURITY NUMBER; 17 (2) DRIVER`S LICENSE NUMBER OR NON-DRIVER IDENTIFICATION CARD NUMBER; 18 OR 19 (3) ACCOUNT NUMBER, CREDIT OR DEBIT CARD NUMBER, IN COMBINATION WITH 20 ANY REQUIRED SECURITY CODE, ACCESS CODE, OR PASSWORD THAT WOULD PERMIT 21 ACCESS TO AN INDIVIDUAL`S FINANCIAL ACCOUNT;
As can be readily seen, the encryption loophole is decidedly not present. Moreover, disclosure of a person’s name and other private information is not necessary to trigger notification (although it is sufficient).
Inasmuch as this latest breach undoubtedly involves at least one New York State resident, it would appear to this layman that attempts to justify a failure to notify on either the “it was encrypted” or the “but they didn’t steal any names” loopholes are perilous at best.
If state breach legislation is not pre-empted at a national level, others would do well to study the example set by the Empire State.
(Updated to add specific mention of law-enforcement exception)
The article has been corrected. I appreciate you noting the error.
While I hope there won’t be a next time, if there is, please also drop me a note regarding the error.
Thanks.
-R
Rob:
Thanks. I’m hoping that the conventional wisdom (even, it seems, among the experts you cited) begins to recognize that not all state laws suffer from the defects you noted. Just the majority of them :^(