Encryption and the Law

Encryption technology is so commonplace, one might think that it would be required by basically all information security laws and regulations. However, as discussed in the comments to yesterday's post, encryption isn't even required by HIPAA, one of the most well known information security laws on the books. Well, as was the case with data breach notification laws, states are stepping up to fill the void left by the Federal Government. For example, as discussed in this post at The Email Admin Massachusetts is set to implement legislation requiring encryption of personal data for its residents (rule here). It is this kind of law (+ private rights of action) that I was referring to when I said if people want legal protection they should work to get new laws passed. The Federal Government is slow, and generally lags far behind. If consumers really want to make a change, the place to do it is at the state, not the federal, level.

Value of Security Breach Notification Laws

This article from Computer World advances a position which I find truly bizarre: that security breach notification laws don't help people. The article's reasoning (and I use the term loosely) seems to be that notification laws only require action after a breach takes place, so they really don't prevent identity theft. It would be better for consumers, according to the article, if the money companies now spend on complying with security breach notification laws were instead spent on security that might prevent identity theft. In any case, the article points out, more identity theft takes place due to telephone scams, lost wallets, or consumers who don't properly protect their computers. Basically, the article minimizes the harm caused by security breaches, and tries to argue that the money spent notifying consumers of the breaches would be better spent elsewhere.

Frankly, it's hard to know where to begin criticizing the article. My immediate instinct is to slam the prose. The author has a terrible habit (epidemic in lawyers, I'm sad to say) of asking rhetorical questions and making mealy mouthed equivocations rather than just taking a position. For example, the author points out that "Enforcement of these laws may not help consumers, either." So there's a possibility that consumers may not be helped by enforcing laws. Similarly, it's possible that the sun may not rise in the east tomorrow. If the author really feels that security breach notification laws don't help people, he should say so, rather than couching his arguments in insubstantial speculation and rhetorical questions.

However, while my instinct is to slam the prose, I think it's more important to recognize that the logic underlying the prose is really, really bad. The primary mistake the author makes (and it's a doozy) is to assume that the only benefit which can come from security breach notification acts is to prevent identity theft. That's simply nuts. The primary benefit of the notification acts is that, because of them, people are notified when there's a problem. Without notification laws, businesses would never go public about security breaches, and what is indisputably a major public policy issue would simply be swept under the rug. Perhaps the author of the article thinks ignorance is bliss, but I prefer that problems be widely acknowledged so that they can be addressed. A secondary mistake the author makes is that he assumes that the more money businesses spend complying with notification laws, the less money they'll spend on security. This doesn't make sense. If businesses could sweep security breaches under the proverbial rug, they would spend even less on security. The high cost of security breach notifications (in terms of both money and bad PR) will cause companies to spend more on security, not less.

I could go on almost indefinitely about what's wrong with the author's position, but I won't. Instead, I can illustrate with a simple analogy: if the author were arguing that statutes requiring businesses to notify consumers when there was a toxic waste spill were ill conceived because they diverted money which would otherwise be used preventing spills, he would be treated as a laughing stock. While drinking toxic waste is clearly a more direct threat to health than a data security breach, it's no more logical to allow the release of personal data to be swept under the rug than it is to allow the release of toxic waste to be covered up.

Utility of Regulations

Does computer security regulation actually improve security? No, says this article from Computer World. Instead, the article says that regulations which specify behavior for companies risk "actually weakening a business by enforcement actions that drive companies to spend unnecessarily on perceived but not genuine security risks." The article says that, instead of specifying behavior, regulation should be outcome based. The example of good outcome based regulation given in the article was California's SB 1386, which requires companies to notify consumers of unauthorized access to their personal data. However, after praising SB 1386, the article says that that legislation is also a problem, and advocates burying it with federal regulation which would preempt state security breach notification laws. The reason the article gives for needing this preemptive federal legislation: "to create a national baseline standard for protecting sensitive data."

As it happens, I disagree with almost everything this article said. First, I think the article's fear that regulation will cause companies to waste money on needless security measures is completely misplaced. I'm actually a little curious, what part of the current regulatory climate is it that he thinks is forcing businesses to spend money unnecessarily? Is it (for example) HIPAA's encryption requirements? It's unique user identifications? It's easy to complain about regulatory burden. However, I'm not sure that I'd want a business to have my health care records (or other personal data) if they didn't even bother to know who was on their systems, or properly encrypt my information. Second, I think the article's focus on SB1386 as the type of regulation that we need is completely wrong. Yes, that law is useful, in that it makes sure companies can't just sweep security breach incidents under the rug. However, it does nothing to prevent the breaches in the first place. To me, it makes sense to try and have regulations which prevent bad events (e.g., security breaches) from happening in the future place) rather than simply trying to clean up after when something goes wrong. Finally, the article advocates preemptive federal data security breach laws. I think this is dead wrong. Why not let individual states try and find their own balances between costs of notification and individual privacy? Having multiple state laws doesn't make it more difficult to comply...it just means that businesses need to know whose data they're storing, then comply with the most stringent standards which apply to that data. If we had some kind of federal amalgam of our current state legislation, the result would be that states could no longer make innovative laws like California's SB1386, and that would make people's information less, not more, secure.

Thus, while I think it's generally a good thing to discuss the appropriate level of regulation to protect information security, Computer World's article arguing that regulation is unhelpful can safely be skipped, as there isn't much there worth considering.

New North Carolina Privacy Protection Law

North Carolina has a new law protecting individual privacy. The law adds to North Carolina's existing identity theft protection act by making it a violation of the act for any person to

knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the Internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure.

Looking at its text, the North Carolina law seems to have been written to actually be enforced by aggrieved individuals. Indeed, the North Carolina law explicitly states that it can be enforced by individuals, rather than limiting the right to bring suit under the law to the state attorney general. Also, the North Carolina law includes a statutory damages provision, which addresses difficulties that individuals have had showing actual damage in previous data exposure cases. See, e.g., here and here.

So what's behind these consumer friendly features of the North Carolina law? I think there are two forces at work. The first is an individual named Glenn Hagele (web site here), who lobbied for this specific law to help address a specific fact pattern - where an individual's personal information was made available on the Internet as a reprisal for that individual's public statements. Without Glenn's work on the law, there is simply no reason to think it would exist. The second force I see is more systemic. Identity theft is still a significant concern for consumers (e.g., this article from the AARP describing identity theft concerns of older Americans) and with a seemingly endless stream of high profile incidents taking place, legislators are probably feeling pressure to do something about it. While data breach notification acts revealed that there is a problem with personal information being revealed, the repeated failures of consumers in court have shown that current law doesn't really give individuals the tools they need to protect themselves. Laws like that in North Carolina, which explicitly give consumers a right to sue for statutory damages, could be a step that more legislatures will take in the future to remedy that situation.

Variation in State Laws: A Problem to be Solved?

Over at the Compliance and Security Connection, there's a post up about potential problems with "The Tangled Web of Data Breach Notification Laws." The post describes the difficulties that bananas.com had when it experienced a data security breach. According to the post

Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies...The issue is the variation between the different state consumer notification laws.

However, neither the post, nor the article it refers to (link here) explains how the variation in data breach notification laws hurt bananas.com. While the article isn't clear on this point, the fees bananas.com ended up paying were almost certainly imposed based on bananas.com's agreements with the credit companies, not on any state data breach notification act. Indeed, many state laws (e.g., Indiana's) are written so that they are enforceable only by an action brought by the state attorney general. Thus, while variation in state laws might be annoying, blaming that variation for fees imposed by credit companies sees a bit unfair.
Similarly, while the post intimated that complying with varying state requirements is more difficult than complying with a single national standard would be, there is no evidence that that is the case. An an analogy, in the area of environmental regulations, California has the authority to enact its own emissions standards, which can be more stringent than those imposed by the EPA. The result, according to automakers, is not a patchwork of different standards - its a single de facto national standard, since a company complying with the more stringent California rules will automatically be in compliance with the less demanding EPA rules (for an article describing some legal consequences of the relationship between California and the EPA, see here). A similar strategy of following the most stringent requirements can be applied to data breach notification laws. For example, by complying with the requirement to notify consumers if there is a breach, a company will automatically comply with a requirement to notify customers if there is a breach combined with a risk of harm.
In general then, I remain unconvinced that variation between state laws presents any real burden. I also think that such variation can be beneficial, as individual states can engage in experimentation to try and appropriately balance the intersts of businesses and consumers. A federal law (such as was called for in the post) might smooth out variation, but it would also cut out the experimentation currently going on between different states - a real drawback that should be considered when evaluating whether such a law should be passed.

Link to the Compliance and Security Connection provided by George Jenkins at I've Been Mugged.

Bigger Trouble for TJX

Apparently, the TJX breach could have been bigger than previously estimated. According to court papers filed by plaintiff banks and bankers associations seeking class certification (described in this article from Computer World, TJX's breach actually exposed 94 million records, not the 45 million records previously announced. According to the banks, the costs to card issuing companies on Visa accounts alone already total between $68 and $83 million.
So what will the practical effect of all this be for TJX? More bad publicity for one, but that shouldn't be a surprise. There will also be higher legal fees, since more money at stake means that everyone involved will fight more tenaciously. Will TJX be forced to pay the bank's losses? That's a more interesting question. Individuals who try to recover from retailers who suffer from data breaches generally have little success (see, e.g., this post about a case which was thrown out in the seventh circuit). However, the bankers might have better luck. Individuals often lose because courts determine that they can't prove damages from a breach, but the bankers are in a much better position to put actual numbers on the harm they claim to have suffered. On the other hand, the current case is taking place in Boston, and Massachusetts (like every other state in the country except Minnesota) does not have a law which shifts costs of a breach from banks to retailers. This is the case even though Massachusetts was considering such a law earlier this year (see here for an article on that proposed law). My guess is that courts would be reluctant to shift costs from retailers to banks when the legislature considered and rejected such a cost shift itself.
Happily, I'm not personally involved in this case, so I can just watch and see how it shakes out.

Schwarzenegger Rejects New Data Breach Law

The proposed legislation I wrote about here and here, which would have made retailers in California liable for the cost of replacing credit cards of individuals whose data is exposed in the event of a security breach was vetoed by Governor Schwarzenegger (details in this article from Computer World). In explaining his veto, Schwarzenegger cited private sector efforts to address the risk of data breaches, such as the PCI DSS, and stated that those efforts showed that private actors were well placed to handle this issue without government involvement. Whether you buy that reasoning or not, the bottom line is that the bill is dead, at least for now (though its proponents have vowed to keep fighting). This leaves Minnesota as the only state with a data breach notification law which shifts costs of card replacement from financial instutions to retailers.

Major Change to California Law Regarding Security Breaches Coming

Back in July, I wrote about a proposed California law which would require merchants who suffer from data security breaches (think TJX) to reimburse financial institutions for the cost of replacing credit cards for people whose information is stolen (link here). Now, according to this article from Computer World, that bill has passed through the California senate and now awaits signature by governor Schwarzenegger. Though the law has had some changes as it moved through the legislature. For example, a new provision has been added which would allow merchants to excused for some or all of the costs of card replacement if it can show it was in compliance with all security requirements at the time of the breach. However, the main focus of the law - shifting costs from merchants to banks, remains intact. According to the Computer World article, if signed, the law is expected to have the same ripple effect that California's SB 1386 had on security breach notification in general.

Monster.com Breach Highlights Limitations of Notification Laws

Do you have your resume posted on line? If so, then there's a good chance you've heard about the data breach at Monster.com, described in this article from C|NET. The breach itself wasn't record breaking...a mere 1.3 million job seekers had their data stolen. While the fact that 1.3 million records seems like a relatively small breach is somewhat troubling in itself, this post isn't written to decry the fact the disturing frequency of data breaches. Instead, it is written to show some of the limits of data breach notification laws as they are currently written. In the monster.com breach, the information stolen included names, addresses, phone numbers, and email addresses. No other details such as bank account numbers were uploaded. While most states have laws that require companies to provide notification of unauthorized access to their customers' personal information, those laws don't necessarily cover breaches like that at monster. For example, California's SB 1386 defines "personal information" as

an individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.

In the monster.com breach, none of the information set forth in subsections (1)-(3) quoted above was stolen, so the breach itself appears to fall outside the scope of the law. Does this mean that the monster.com breach was innocuous? Not at all. According to the C|NET article, the individuals who hacked monster.com would send emails attempting to get further information from people whose data had been stolen. The emails would be created using the stolen data, giving them more credibility than they would otherwise have, and making it more likely that the emails' recipients would think they were legitimate. While that type of risk doesn't seem to be one that California's data breach notification law was intended to cover, it is possible that more breaches of the monster.com variety will occur, as businesses begin to react to existing law by making it less likely that bank account numbers or other information are available for hackers. If that is the case, state legislatures might consider revisting their existing laws, and revising them as necessary to deal with this newer type of threat.

7th Circuit Says No Private Right of Action for Data Breach

As described in this post on the threat level blog, the seventh circuit court of appeals has ruled against consumer's whose personal data was stolen from a bank database (the opinion can be found here). As described in the opinion, the consumers' data was stolen as the result of an intrusion which was "sophisticated, intentional and malicious." The consumers requested that the court grant them, among other relief, payment for the cost of credit monitoring services - a seemingly reasonable request, given the fact that their personal data was now in the hands of criminals who had likely stolen it for the specific purpose of facilitating identify theft. However, the seventh circuit decided that the harm suffered by the consumers was only potential harm, and therefore was not compensable under the relevant state law. True, the consumers had to pay for credit monitoring, but the court pointed out that they could not show that their identities had been stolen (yet), so the case was thrown out.

What does all this mean for consumers? There are two primary lessons to be drawn. The first is that courts remain an extremely hostile environment for trying to vindicate privacy rights. The (in my opinion) classic case on this subject is In re Northwest Airlines Litigation which found that Northwest's privacy policy was not a contract with customers, and that customer data collected by Northwest belonged to Northwest, not the customers. The new decision from the seventh circuit just confirms what was already clear: consumers should not expect courts to protect privacy. The second lesson to be drawn from the seventh circuit's new decision is that states which wish to provide meaningful privacy protections for their citizens should include private rights of action in their privacy legislation. In finding against the consumers, the seventh circuit referred to the fact that the relevant data breach notification act did not provide a private right of action. Thus, if state legislators want to avoid their citizens being thrown out of court, they should make sure to explicitly create a way (by statute) for the citizens to protect themselves.

New Data Security Breach Law Moves Through California Legislature

In 2002, California passed the nation's first data breach notification statute, SB 1386, which has since been copied by states around the country. Now, a new bill is making its way through the California legislature, this one significantly modifying the provisions of SB 1386 by mandating that retailers who suffer data security breaches to reimburse banks and credit unions for the cost of issuing new cards to their customers. Predictably, as described in this article, groups representing retailers are opposing the bill, which, if it passes could become a model for similar bills around the country (by comparison, 39 states have enacted data breach notification laws similar to SB 1386). Thus far, laws shifting costs for replacing cards from banks and credit unions to retailers have been defeated in Texas, Massachusetts, and Connecticut, though one has passed in Minnesota, thank, in part, to the TJX breach. Whether that breach will be enough to carry the bill in California is an open question, but, if it does, it will usher in a brave new world in which the risks to retailers of data security breaches would be substantially larger than they are now.

Banks v. Merchants

One rift between interest groups which has emerged in the world of information security is between merchants and banks. The basic conflict is driven by banks' fear of exposure based on acts (or failure to act) by merchants. This leads to banks imposing standards (e.g., the payment card industry data security standard) on merchants, who are then faced with the prospect of struggling to comply with what seem to be mercurial and/or contradictory mandates. The result, predictably, is frustration for all sides, such as was shown in a recent panel discussion sponsored by Symantec (described in this article). That frustration has also manifested itself in more problematic ways, such as noncompliance by merchants who feel that they are too expensive or too unwieldy (as blogged here).

However, it seems that that frustration also has the potential to lead to positive change. For example, in response to complaints by merchants, the payment card industry is changing the way its data security standard will be defined in the future (blogged about here). Similarly, in response to concerns from banks, states are considering laws which would shift the cost of cleaning up after data breaches to the entities who cause them (one such proposal is described in this article). The lesson from all this? First, if you have concerns about data security, regardless of what type of organization you represent, you're not alone. Second, if you express your concerns, there's a real possibility that they will be addressed, as both public and private organizations have shown themselves to be responsive to feedback and criticism.

State Enforcement Actions

While federal laws such as Gramm-Leach-Bliley and HIPAA are often the focus of concern for organizations seeking to maintain regulatory compliance, it is important to remember that many states have put in place requirements which must be observed as well. Case in point: Texas, where the attorney general took action against Radio Shack for violating that state's 2005 Identity Theft Enforcement and Protection Act and section 35.581 of Chapter 35 of Texas' Business and Commerce Code. According to the attorney general's press release Radio Shack had failed to properly protect and dispose of their customers' by simply dumping bulk records in a garbage receptacle behind a store. The dumped records included, ironically, a receipt from a woman who purchased a shredder from Radio Shack to protect herself from identity theft - just the kind of potential victim the media loves to focus on. Thus, the Radio Shack prosecution should serve as a reminder to businesses everywhere that Federal Law isn't the only source of data privacy and information security law, and it is necessary to be mindful of state statutes as well.