Sunday, August 26, 2007

Monster.com Breach Highlights Limitations of Notification Laws

Do you have your resume posted on line? If so, then there's a good chance you've heard about the data breach at Monster.com, described in this article from C|NET. The breach itself wasn't record breaking...a mere 1.3 million job seekers had their data stolen. While the fact that 1.3 million records seems like a relatively small breach is somewhat troubling in itself, this post isn't written to decry the fact the disturing frequency of data breaches. Instead, it is written to show some of the limits of data breach notification laws as they are currently written. In the monster.com breach, the information stolen included names, addresses, phone numbers, and email addresses. No other details such as bank account numbers were uploaded. While most states have laws that require companies to provide notification of unauthorized access to their customers' personal information, those laws don't necessarily cover breaches like that at monster. For example, California's SB 1386 defines "personal information" as

an individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.

In the monster.com breach, none of the information set forth in subsections (1)-(3) quoted above was stolen, so the breach itself appears to fall outside the scope of the law. Does this mean that the monster.com breach was innocuous? Not at all. According to the C|NET article, the individuals who hacked monster.com would send emails attempting to get further information from people whose data had been stolen. The emails would be created using the stolen data, giving them more credibility than they would otherwise have, and making it more likely that the emails' recipients would think they were legitimate. While that type of risk doesn't seem to be one that California's data breach notification law was intended to cover, it is possible that more breaches of the monster.com variety will occur, as businesses begin to react to existing law by making it less likely that bank account numbers or other information are available for hackers. If that is the case, state legislatures might consider revisting their existing laws, and revising them as necessary to deal with this newer type of threat.

1 comment:

WOW GOLD said...

Nice blog. I a also ardent player of WOW GOLD. I love this game. Nice posting about wow gold. Thanks