Ephemerallaw: Monster.com Breach Highlights Limitations of Notification Laws

Sunday, August 26, 2007

Monster.com Breach Highlights Limitations of Notification Laws

Do you have your resume posted on line? If so, then there's a good chance you've heard about the data breach at Monster.com, described in this article from C|NET. The breach itself wasn't record breaking...a mere 1.3 million job seekers had their data stolen. While the fact that 1.3 million records seems like a relatively small breach is somewhat troubling in itself, this post isn't written to decry the fact the disturing frequency of data breaches. Instead, it is written to show some of the limits of data breach notification laws as they are currently written. In the monster.com breach, the information stolen included names, addresses, phone numbers, and email addresses. No other details such as bank account numbers were uploaded. While most states have laws that require companies to provide notification of unauthorized access to their customers' personal information, those laws don't necessarily cover breaches like that at monster. For example, California's SB 1386 defines "personal information" as

an individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.

In the monster.com breach, none of the information set forth in subsections (1)-(3) quoted above was stolen, so the breach itself appears to fall outside the scope of the law. Does this mean that the monster.com breach was innocuous? Not at all. According to the C|NET article, the individuals who hacked monster.com would send emails attempting to get further information from people whose data had been stolen. The emails would be created using the stolen data, giving them more credibility than they would otherwise have, and making it more likely that the emails' recipients would think they were legitimate. While that type of risk doesn't seem to be one that California's data breach notification law was intended to cover, it is possible that more breaches of the monster.com variety will occur, as businesses begin to react to existing law by making it less likely that bank account numbers or other information are available for hackers. If that is the case, state legislatures might consider revisting their existing laws, and revising them as necessary to deal with this newer type of threat.

1 comment:

WOW GOLD said...: Nice blog. I a also ardent player of WOW GOLD. I love this game. Nice posting about wow gold. Thanks; August 19, 2009 at 11:29 PM

Post a Comment

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors. NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.

Ephemerallaw

Sunday, August 26, 2007

Monster.com Breach Highlights Limitations of Notification Laws

1 comment:

Useful Resources

Blog Archive

Contributors

Other Sites

Privacy Statement

Disclaimer