Shostack + Friends Blog Archive

 

Breach notification escape mechanisms

In a somewhat incendiary piece [link to http://www.securityfocus.com/news/11381 no longer works] published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed.

According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company suffering a breach can bypass current notification laws”. First is if notification would impede an investigation by law enforcement, then:

If the stolen data includes identifiable information–such as debit card account numbers and PINs–but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning.

Not quite. At least one state has a law that closes the quoted loopholes.

New York’s law says the following:

1                                ARTICLE 39-F
2       NOTIFICATION OF UNAUTHORIZED ACQUISITION OF PRIVATE INFORMATION
3    SECTION  899-AA.  NOTIFICATION; PERSON WITHOUT VALID AUTHORIZATION HAS
4  ACQUIRED PRIVATE INFORMATION.
5    S  899-AA.  NOTIFICATION;  PERSON  WITHOUT  VALID  AUTHORIZATION   HAS
6  ACQUIRED  PRIVATE INFORMATION. 1. AS USED IN THIS SECTION, THE FOLLOWING
7  TERMS SHALL HAVE THE FOLLOWING MEANINGS:
8    (A) "PERSONAL INFORMATION" SHALL MEAN  ANY  INFORMATION  CONCERNING  A
9  NATURAL  PERSON  WHICH, BECAUSE OF NAME, NUMBER, PERSONAL MARK, OR OTHER
10  IDENTIFIER, CAN BE USED TO IDENTIFY SUCH NATURAL PERSON;
11    (B) "PRIVATE INFORMATION" SHALL MEAN PERSONAL  INFORMATION  CONSISTING
12  OF  ANY INFORMATION IN COMBINATION WITH ANY ONE OR MORE OF THE FOLLOWING
13  DATA ELEMENTS, WHEN EITHER THE PERSONAL INFORMATION OR THE DATA  ELEMENT
14  IS NOT ENCRYPTED, OR ENCRYPTED WITH AN ENCRYPTION KEY THAT HAS ALSO BEEN
15  ACQUIRED:
16    (1) SOCIAL SECURITY NUMBER;
17    (2)  DRIVER`S LICENSE NUMBER OR NON-DRIVER IDENTIFICATION CARD NUMBER;
18  OR
19    (3) ACCOUNT NUMBER, CREDIT OR DEBIT CARD NUMBER, IN  COMBINATION  WITH
20  ANY  REQUIRED  SECURITY CODE, ACCESS CODE, OR PASSWORD THAT WOULD PERMIT
21  ACCESS TO AN INDIVIDUAL`S FINANCIAL ACCOUNT;

As can be readily seen, the encryption loophole is decidedly not present. Moreover, disclosure of a person’s name and other private information is not necessary to trigger notification (although it is sufficient).

Inasmuch as this latest breach undoubtedly involves at least one New York State resident, it would appear to this layman that attempts to justify a failure to notify on either the “it was encrypted” or the “but they didn’t steal any names” loopholes are perilous at best.

If state breach legislation is not pre-empted at a national level, others would do well to study the example set by the Empire State.
(Updated to add specific mention of law-enforcement exception)

2 comments on "Breach notification escape mechanisms"

  • Rob Lemos says:

    The article has been corrected. I appreciate you noting the error.
    While I hope there won’t be a next time, if there is, please also drop me a note regarding the error.
    Thanks.
    -R

  • Chris Walsh says:

    Rob:
    Thanks. I’m hoping that the conventional wisdom (even, it seems, among the experts you cited) begins to recognize that not all state laws suffer from the defects you noted. Just the majority of them :^(

Comments are closed.