Sunday, August 26, 2007 Breach Highlights Limitations of Notification Laws

Do you have your resume posted on line? If so, then there's a good chance you've heard about the data breach at, described in this article from C|NET. The breach itself wasn't record breaking...a mere 1.3 million job seekers had their data stolen. While the fact that 1.3 million records seems like a relatively small breach is somewhat troubling in itself, this post isn't written to decry the fact the disturing frequency of data breaches. Instead, it is written to show some of the limits of data breach notification laws as they are currently written. In the breach, the information stolen included names, addresses, phone numbers, and email addresses. No other details such as bank account numbers were uploaded. While most states have laws that require companies to provide notification of unauthorized access to their customers' personal information, those laws don't necessarily cover breaches like that at monster. For example, California's SB 1386 defines "personal information" as

an individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.

In the breach, none of the information set forth in subsections (1)-(3) quoted above was stolen, so the breach itself appears to fall outside the scope of the law. Does this mean that the breach was innocuous? Not at all. According to the C|NET article, the individuals who hacked would send emails attempting to get further information from people whose data had been stolen. The emails would be created using the stolen data, giving them more credibility than they would otherwise have, and making it more likely that the emails' recipients would think they were legitimate. While that type of risk doesn't seem to be one that California's data breach notification law was intended to cover, it is possible that more breaches of the variety will occur, as businesses begin to react to existing law by making it less likely that bank account numbers or other information are available for hackers. If that is the case, state legislatures might consider revisting their existing laws, and revising them as necessary to deal with this newer type of threat.

Friday, August 24, 2007

7th Circuit Says No Private Right of Action for Data Breach

As described in this post on the threat level blog, the seventh circuit court of appeals has ruled against consumer's whose personal data was stolen from a bank database (the opinion can be found here). As described in the opinion, the consumers' data was stolen as the result of an intrusion which was "sophisticated, intentional and malicious." The consumers requested that the court grant them, among other relief, payment for the cost of credit monitoring services - a seemingly reasonable request, given the fact that their personal data was now in the hands of criminals who had likely stolen it for the specific purpose of facilitating identify theft. However, the seventh circuit decided that the harm suffered by the consumers was only potential harm, and therefore was not compensable under the relevant state law. True, the consumers had to pay for credit monitoring, but the court pointed out that they could not show that their identities had been stolen (yet), so the case was thrown out.

What does all this mean for consumers? There are two primary lessons to be drawn. The first is that courts remain an extremely hostile environment for trying to vindicate privacy rights. The (in my opinion) classic case on this subject is In re Northwest Airlines Litigation which found that Northwest's privacy policy was not a contract with customers, and that customer data collected by Northwest belonged to Northwest, not the customers. The new decision from the seventh circuit just confirms what was already clear: consumers should not expect courts to protect privacy. The second lesson to be drawn from the seventh circuit's new decision is that states which wish to provide meaningful privacy protections for their citizens should include private rights of action in their privacy legislation. In finding against the consumers, the seventh circuit referred to the fact that the relevant data breach notification act did not provide a private right of action. Thus, if state legislators want to avoid their citizens being thrown out of court, they should make sure to explicitly create a way (by statute) for the citizens to protect themselves.

Thursday, August 23, 2007

PCI DSS Compliance Makes Slow Progress

The challenges that faced by merchants in their efforts to comply with the Payment Card Industry (PCI) Data Security Standards (DSS) have received a great deal of publicity, especially since Visa U.S.A. had announced its intent to levy penalize noncompliant merchants beginning in October, 2007. see here However, recently Visa has backed off of its aggressive stance, and announced that instead of denying merchants the right to participate in its tiered fee structure, it will simply downgrade noncompliant merchants one tier, and require them to pay higher fees. This softened approach was announced in a memo issued by VISA and Fifth Third Processing Solutions earlier this month. Practicality vs. SecurityThey also announced that merchants who are in compliance by September 30, 2008 may be eligible for lost interchange discounts and other incentives. While the Payment Card Industry is to be lauded for its efforts to increase security and reduce the potential for identity theft and credit card fraud, the draconian measures it attempted to use in order to speed up the DSS compliance process did not recognize the difficulties and costs encountered by merchants in attempting to comply with the 140 requirements for protecting credit card data. Not only are the smaller retailers encountering challenges and obstacles to compliance, but recent estimate indicate that more than half of Visa's top tier merchants have not yet achieved full compliance. Visa and MasterCard must find a way to keep the pressure on, but not such a pace as to hurt retailers financially.

Tuesday, August 21, 2007

Watermarking: Threat to Privacy?

Recently, a mini-firestorm has erupted over the possibility that the recording industry will add watermarks to music files (e.g., articles here, here, and here). The idea behind the watermarks is that they will allow copyright holders to see where files on peer to peer networks came from and file lawsuits accordingly. Whether such tracking would actually allow the RIAA to file suits without being embarassed (e.g., as described in this article, which eventually led to a charge of malicious prosecution) is an open question. However, what I would like to address is not whether the watermarks will help in prosecution of copyright infringers, but what they will do for individual privacy. In a article on the subject, Evan Hill, CTO of Activated Content, a company that provides watermarking solutions to Universal, Sony/BMG and other labels is quoted as calling watermarks which uniquely identify each file purchased by each user a "privacy nightmare." While there are certainly concerns about watermarking, I don't think those concerns are really that significant. The reason for this is that problems with watermarking are really only a symptom of a larger issue: users being forced to sacrifice their privacy in order to participate in the modern economy. I've blogged previously (see post here) about the threat posed to privacy by the routine enforcement of clickwrap licenses where service providers can basically dictate terms because users either don't or can't understand what they're agreeing to. Similarly, in the case of music distribution, service providers (i.e., record companies) can basically dictate terms to users, because people won't bother to read the licenses provided with the songs and, even if they did, they wouldn't have any choice about accepting them because the record labels have government enforced copyrights (assuming the consumers care about buying licensed copies of the songs, of course). In both cases though, the problem isn't the watermarks (or the clickwraps) it's the economy, and the legal system which allows those tools to be used in ways that strip users of their privacy.

Thursday, August 16, 2007

How Much Does a Mega-Breach Cost?

According to this article from Computerworld TJX has announced that the costs of a massive 45 million+ record data breach could reach over $150,000,000. While certainly a significant amount of money (I know my net worth doesn't even approach $150,000,000) the figure given by TJX is actually significantly less than I would have expected. When taking into account the magnitude of the breach, the per record cost given by TJX is only about $3.30. That's orders of magnitude lower than the $182/record average cost given by the Ponemon institute described in this article. While it's possible that larger breaches have lower cost/record numbers (something like buying in bulk), my guess is that $150,000,000 is something of a lowball estimate. However, even at $3.30/record, a breach like the one which hit TJX isn't cheap, and even the $150,000,000 figure is likely to spur some long overdue emphasis on information security.

Tuesday, August 14, 2007

Focus on Data Retention, Storage and Destruction

Merchants with customers in Minnesota have another reason to step up their efforts to comply with the PCI Data Security Standards. A new Minnesota law, the first of its kind, imposes strict liability on merchants for costs incurred by financial institutions associated with a card security breach. Effective August 1, 2007, the Plastic Card Security Act bill requires that merchants with Minnesota residents as customers must have implemented Requirement 3 of the PCI security requirements. Requirement 3 prohibits storage of "sensitive authentication data," which includes magnetic stripe data, card validation codes, PINs, and encrypted PIN blocks. The law requires destruction of all such data immediately following a transaction. The provisions imposing strict liability take effect August 1, 2008. Similar bills are pending in the legislatures of California, Texas, Illinois, Connecticut and Massachusetts, and could very well be the next wave of data security legislation. Meanwhile, other efforts are underway to assist companies who must store sensitive business data. Computerworld reports on software that is being developed which takes critical data and cuts it up into anywhere from four to 128 "slices" that can be sent and stored securely in one or more locations. Computerworld Such software would be helpful for companies who need to better secure remote users, or for banking companies where long-time and easily retrievable storage of customer data is essential to their business. Clearly, recognition that proper data retention,storage and destruction is key to prevention of security breaches is finally getting its due.

Search Engines and Privacy

CNET has an interesting article comparing the privacy policies of major search engines. According to that article Ask has the best privacy practices while Yahoo had the worst. One apparent weakness in the article was its focus on the companies' use of data (e.g., how long is it kept; do the companies rely on behavioral targeting of ads). While a company's use of data is clearly a major privacy concern, I would also be interested to see a survey which included information on how protective the companies were of the data that they do have. For example, Google actively fought the government when subpoenas were issued requesting information on searches performed by Google users (see this article (have to scroll down) for more information). To my mind, that should give the search engine giant a bump, especially given how eager most companies seem to be to hand over any and all customer information to the government (e.g., AT&T, whose behavior resulted in a lawsuit by the EFF as described here.

However, in spite of its inadequacies, the article still contained useful information. One interesting point is the discussion in the article of the effect of regulation on search engine privacy policies. For example, the article cited efforts by a group of European bureaucrats called the Article 29 Working Party as being a contributing factor in adoption of time limits for data retention by search engine providers. If there really is a causal connection, it would be a good example of how globalization can actually benefit consumer rights, since Americans would essentially be reaping the privacy benefits of regulatory pressures experienced by companies doing business in Europe.

Wednesday, August 8, 2007

Texas Attorney General Takes Action Against ID Theft

Texas Attorney General Greg Abbott has been actively enforcing his state's data privacy and security laws. In April, 2007, he filed lawsuits against two companies alleging that their disposal of customers' personal information into trash dumpsters was a violation of Texas law which requires the companies to establish reasonable security disposal procedures with respect to such information. Earlier this year he filed two other cases alleging similar violations of Texas statutes. And most recently, he has filed suit against Lifetime Fitness, a Minnesota company with several Dallas area locations. Bizjournals This suit also alleges a failure to protect customers' personal information by disposing of personal identifying information in easily accessible trash cans behind the businesses. The Texas laws the companies are alleged to have violated are the Texas Deceptive Trade Practices Act and the 2005 Identity Theft Enforcement and Protection Act, which requires proper destruction of clients' sensitive personal information. In a statement, Abbott said "Identity theft is one of the fastest growing crimes in the United States. Texans expect their personal information to remain confidential." While it is too early to predict the outcome of these cases, if successful, the companies could face civil penalties of up to $50,000 per violation. It is also an indication that state attorneys general have new ammunition in their efforts to guard against identity theft, and Texas, New York and others are prepared to use it. With identity theft crimes on the rise, companies and employers are well-advised to be vigilant in their protection of personal information of their customers and employees.

Friday, August 3, 2007

Privacy and Contract Revisited

Two weeks ago today, I wrote that individual privacy was basically dead (original post here). I wrote this in response to an article which discussed the terms of service for the new iPhone, and I pointed out that, since courts routinely enforce clickwrap licenses that are never read or understood by consumers, there was nothing in the world to prevent businesses from writing provisions into those contracts which basically stripped consumers of their privacy. Happily, I may have written too soon.

Since my original post, has reported on two court decisions which, contrary to the general practice, have ruled against businesses on the enforceability of clickwrap licenses (stories on the subject are here and here). Does this mean that end user license agreements won't be the death of privacy? It's too early to tell - the cases reported on by Wired weren't directly concerned with privacy, and they might be an aberration rather than a sign of an emerging trend against click licenses. However, it is possible that my conclusion that privacy would be effectively destroyed by EULAs was premature. I hope it was, as that was one circumstance where I would much rather be wrong than right.