Shostack + Friends Blog Archive

 

Breach Notification, the New Normal, and a New Metaphor

overflowing-dam.jpg

Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not.

Wow. Fifteen months since Choicepoint, and that’s being written? There’s a new set of expectations out there, and it hasn’t taken long to set. Thank you, Choicepoint. The quote leads an article, “Are Banks Required To Give Notice of Database Hacks?” [link to http://www.sandiegobusinesslawfirm.com/bank_hack_notify no longer works] on San Diego Business Lawfirm.

Thanks to the Privacy Law Blog, we know that Arizona and Colorado have passed new breach notice laws. Arizona has taken a broad definition of breach in Senate Bill 1338:

“Security Breach” means “an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information… and that causes or is reasonably likely to cause substantial economic loss to an individual.”

Colorado meanwhile, has enacted [link to http://www.stateaction.org/blog/?p=166 no longer works] House Bill 1119 [link to http://www.leg.state.co.us/clics2006a/csl.nsf/fsbillcont3/DBB688E3B54B4CD68725706800520789?Open&file=1119_enr.pdf no longer works], which contains a “fox guards the henhouse, and sits in the alarm booth” clause:

The new law requires to businesses to conduct, in good faith, a reasonable and prompt investigation into a security breach, and unless it determines that misuse of the personal information has not occurred and is not reasonably likely to occur…

I think it would be remarkably risky to invoke that clause. Business should ask, who owns that liability if someone makes a mistake? The Center For Policy Alternatives [link to http://www.stateaction.org/issues/issue.cfm/issue/IdentityTheft.xml no longer works] has Model Identity Theft Legislation [link to http://www.stateaction.org/issues/legislation.cfm/issue/IdentityTheft.xml no longer works] that doesn’t contain this clause. In my non-lawyerly opinion, that speaks to the new norms, and the burden of proof that companies are being asked to develop in a short time, under extreme pressure. Who wants these clauses, anyway?

These questions hold up a national law, according to Computerworld, “Analysis: Data breach notification law unlikely this year.” Such delays are a good thing, because they give the new norm time to set, and for people to become accustomed to breach notices.

The overflowing dam photo is by Firesign, on Flickr. Come to think of it, maybe an overflowing dam is a better metaphor than a breached one: there’s so much data collected that organizations can’t hope to control it?