SlideShare a Scribd company logo

Data Breaches

S
sstose

This document summarizes a paper about increasing data breaches and the need for legislation to address the problem. It notes that over 233 million US records have been exposed due to breaches since 2005. The document discusses the costs of breaches to companies and common causes, such as lost or stolen devices. It argues that while some states have breach notification laws, federal legislation is needed to standardize security practices and privacy protections across industries. The paper aims to examine if legislation is needed to reduce breaches, when people should be notified of breaches, and if compensation should be required.

1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Stephen J. Stose IST 618--Dr. Thomas Martin Syracuse University School of Information Studies Summer 2008   Data  Breaches     “Over  233  million  data  records  of  U.S.  residents  have  been  exposed  due  to  security   breaches  since  Jan  05i.”     Background   The  Ponemon  Institute,  a  company  dedicated  to  advancing  responsible  information   management  policies,  reports  that  companies  in  2007  spent  an  average  of  6.3  million   dollars  in  costs  associated  with  lost  or  stolen  data,  a  30%  increase  over  the  preceding   yearii.  This  means  an  average  cost  of  $197  per  compromised  record,  up  from  $182.    In   2008,  the  Identity  Theft  Resource  Center  reports  a  69%  increase  in  data  breaches,  20%  of   which  constitute  lost  or  stolen  devices,  and  15%  constituting  “inadvertent  posting.iii”   The  Ponemon  Institute  reports  even  higher  figures  for  lost  or  stolen  devices:  49%  in   2006iv.  Indeed,  Attrition.org  maintains  an  updated  list  of  these  breaches.  Perusing  the   list,  these  and  other  forms  of  negligence,  such  as  improperly  stored  and/or  transmitted   data,  comprise  the  surprising  majority  of  casesv.  Indeed,  current  workplace  habits  such   as  downloading  or  copying  confidential  records  onto  personal  devices,  turning  off   security  settings  or  firewalls,  sharing  passwords,  or  sending  attachments  to  home   computers  are  commonvi.       These  increases  are  startling,  but  may  be  attributed  to  a  higher  incidence  of  reporting   the  occurrence  of  breaches.  Since  California’s  security  breach  notification  legislation   came  into  effect  in  2003vii,  many  states  now  have  similar  notification  laws,  and   companies  are  now  considering  their  effectsviii .  The  U.S.  (contrary  to  the  E.U.)  has  no   overarching  law  that  governs  how  the  private  sector  uses  and  protects  personal   information.  Instead,  it  promotes  industry  self-­‐‑regulation  through  privacy  and   technology  statements,  and  opt-­‐‑out  standards  that  apply  in  a  patchwork  fashion   depending  on  the  types  and  uses  of  information  collected  and  storedix.  Two  possible   effects  state  notification  laws  have  in  common  are:  1)  loss  of  reputation  and  hence   market  share,  and  2)  customer  re-­‐‑assessment  of  risk  in  doing  business  with  the  chosen   entity.    We  will  argue  in  another  section  that  notification  laws  are  not  sufficient  to  deter   substandard  data  security.  Additionally,  these  measures,  while  seeking  to  indemnify   customers  against  actual  breaches,  may  do  nothing  to  prevent  the  breach  in  the  first   place.       The  Gramm-­‐‑Leach-­‐‑Bliley  Actx  is  a  federal  regulation  to  prevent  fraudulent  access  to   financial  information  through  impersonation,  phone,  mail,  email,  or  phishing  (15  U.S.C.  
2 §  6821-­‐‑6827);  it  also  requires  that  institutions  have  information  security  plans  enacted   that  specify  how  a  company  will  protect  and  ensure  the  privacy  of  non-­‐‑public  personal   information  (15  U.S.C.  §  6801-­‐‑6809).    These  regulations  apply  only  to  financial   institutions,  however,  and  not  to  general  small  businesses,  e-­‐‑commerce  or  social-­‐‑ networking  transactions.       We  believe  other  such  over-­‐‑arching  regulation  needs  to  be  developed  federally  that   covers  all  information  collection  endeavors  in  the  new  age  of  electronic  transmissions.   This  should  include  data  security  and  breach-­‐‑notification  laws,  rules  that  specify   penalties  for  breaches,  and  strong  privacy  laws  requiring  companies  to  disclose  their   privacy  statements  along  with  assumptions  of  transparency.  The  default,  we  believe   should  be  more  akin  to  opt-­‐‑in;  that  is  to  say,  consumers  should  not  be  required  to  work   to  keep  their  data  secure  and  private.       Perspective     The  paper  is  written  from  the  perspective  of  an  information  professional,  as  well  as  a   daily  participant  in  the  new  world  of  electronic  communication  and  commerce.    My   background  as  a  social  scientist  enables  me  a  high  level  of  analysis  into  pertinent  issues   of  data  and  its  importance  to  the  livelihood  of  conducting  business  and  commerce,   while  still  respecting  fundamentally  human  aspects  of  rights  to  privacy,  data  protection,   and  security.  These  beliefs  are  fundamental  to  this  analysis,  and  it  attempts  to  uphold   the  1974  Privacy  Act  as  close  to  the  letter  as  possible,  despite  trends  that  continue  to  the   contrary.  Nevertheless,  it  attempts  to  adapt  itself  to  current  realities,  while  still  making   recommendations  believed  to  create  a  stronger,  safer  and  more  human  system  of   electronic  communications  and  commerce.         Issue  Questions     The  issues  I  will  address  in  this  paper  are:     1. Is  there  a  need  for  legislation  to  ensure  that  confidential  information  is  stored   securely  so  that  the  incidence  of  data  breaches  can  be  reduced?   2. When  should  those  whose  data  has  been  compromised  be  notified  of  a  data   breach?   3. Should  those  whose  information  has  been  compromised  be  given  the  right  to   receive  compensation  for  damages,  and  what  actions  should  the  company   losing  the  data  be  required  to  take  to  minimize  damages?  
3 4. Is  there  a  need  to  pass  consumer  privacy  laws  so  that  they  impose  fair   information  practices  upon  creators  of  databases  containing  confidential   information?       Is  there  a  need  for  legislation  to  ensure  that  confidential  information  is  stored   securely  so  that  the  incidence  of  data  breaches  can  be  reduced?       One  standard,  developed  by  the  various  credit  card  companies,  is  called  the  Payment   Card  Industry  Data  Security  Standard  (PCI  DSS).  This  is  now  a  mandatory  twelve-­‐‑step   global  standard  that  ensures  the  protection  of  all  cardholder  data,  and  requires  external   auditing  if  a  company  processes  over  80,000  transactions  annuallyxi.  Smaller  companies   are  required  to  perform  self-­‐‑assessments.  With  the  bad  press,  many  companies  are  now   taking  these  assessments  seriously,  in  order  to  avoid  the  new  disclosure  laws  in  several   states  requiring  both  individual  and  at  times  mass  media  notification  of  breaches.       Many,  however,  argue  that  only  six  percent  of  all  known  cases  of  identity  theft  or  fraud   are  attributable  to  data  breaches,  and  that  consumers  are  being  misled  about  ways  to   prevent  theftxii.    We  agree  that  the  recent  data  breach  hype,  as  well  as  the  trend  towards   notification  laws,  is  desensitizing  individuals  to  its  inevitability  and  occurrence.  The   same  misunderstanding  occurs  when  individuals  believe  hackers,  malicious  code  and   malicious  insiders  are  responsible  for  data  breaches,  when  in  reality  they  only  account   for  10%,  6%  and  6%  of  breaches  respectivelyxiii.       Thus,  we  want  to  stress  the  creation  of  legislation  that  prevents  not  just  malicious   attacks  (which  occur  in  any  system,  regardless  of  its  security),  but  protects  consumers   against  the  creeping  desensitization  of  the  inevitability  of  a  data  breaches,  such  that  the   primary  concern  is  not  what  to  do  when  it  occurs,  but  stresses  the  fact  that  the  majority   of  breaches  occur  almost  accidentally,  due  to  negligence  and  poor  internal  management   policies.  Making  the  PCI  standard  part  of  federal  legislation,  perhaps  as  a  part  of  the   current  notification  legislation  we  will  discuss  soon,  will  serve  to  prevent  data  mis-­‐‑ management,  such  that  fraud  and  theft  are  no  longer  an  easy  option.  This  legislation,   we  believe,  should  include  an  allowance  for  businesses  that  manage  data  to  be  brought   into  civil  liability  class  action  suits  that  up  until  now  have  been  rejected  due  to  no   “actual  harm”  claims.  Thus,  we  argue  that  tort  law  needs  to  catch  up  with  the  today’s   increasing  occurrence  of  internet-­‐‑based  harmsxiv,  and  impose  weak  liability  sanctions  on   businesses  that  themselves  have  no  active  sanctions  in  place  for  the  negligent  behavior   of  its  data  managers  and  staff  with  access  to  database  records.      
4 Additionally,  since  most  data  breaches  are  occurring  at  the  mom-­‐‑and-­‐‑pop  shop  level,  as   they  make  up  over  85%  of  credit  card  transactions  nationwide,  local  business  bureaus   should  have  education  plans  mandated  for  existing  companies.  It  was  found  that  of  600   companies  with  250  employees  or  fewer,  52%  of  them  were  unknowably  storing   sensitive  customer  information  on  their  systemsxv.  Thus,  it  seems  that  the  credit  card   processing  companies  must  be  held  liable  for  the  education  of  their  clients  regarding   PCI  standards;  that  is,  small  businesses  must  be  indemnified  if  such  standards  were  not   made  apparent  in  their  contracts,  and/or  if  they  are  PCI  compliant.  However,  if  data  is   lost,  identifiable  during  transmission,  or  posted;  or  if  a  device  with  data  is  lost  or  mis-­‐‑ managed,  sanctions  for  negligence  should  be  in  place.    In  this  respect,  incentives  at  the   individual  and  small  business  level  for  preventing  security  breaches  before  they  occur   would  complement  the  punishments  companies  fear  after  they  occur  through  the   notification  laws  in  effect  today.    Such  security  regulations  that  trickle  down  to  the  local   level  should  reduce  the  incidence  of  data  breaches,  and  not  just  compensate  for  a  loss   that  ought  not  to  have  occurred  in  the  first  place.       Thus,  proper  regulations  will  hopefully  make  companies  rethink  whether  administering   database  records  of  their  clients  outweigh  the  risks  associated  with  the  sanctions  in   place  of  not  having  a  proper  security  system  installed  that  is  PCI  compliant,  and   outweighs  the  risks  of  the  sanctions  we  will  discuss  below  when  and  if  a  security  breach   does  occur.  The  goal  of  this  will  be  to  force  companies  to  take  the  storage  and   processing  of  personal  data  seriously,  and  perhaps  create  innovation  to  begin  using   internally  developed  identification  numbers  that  replace  other  forms  of  identification   (e.g.,  social  security  number)  when  tracking  customer  data.         When  should  those  whose  data  has  been  compromised  be  notified  of  a  data  breach?     The  first  assumption  that  data  breach  notification  legislation  makes  is  that  companies— to  avoid  being  the  bearer  of  bad  news  to  customers,  and  hence  reduce  their  confidence   in  the  services  it  offers—will  take  steps  to  deter  security  breaches  from  first  occurring.   The  second  is  that  through  notification,  customers  may  re-­‐‑assess  the  cost-­‐‑benefit  of   continuing  a  relationship  with  the  company.  Whether  or  not  these  assumptions,  which   guide  the  recent  efforts  of  state  legislation,  actually  serve  as  a  deterrent  has  been  the   subject  of  much  academic  speculationxvi.    We  will  side  with  the  opinion  that  disclosure   laws,  while  absolutely  necessary  for  upholding  an  individual’s  rights  to  privacy,  are  not   sufficient  deterrents  in  themselves.  California  began  the  trend,  and  enacted  two  pieces   of  consumer  rights  legislation  in  2003.  The  security  breach  statutexvii  requires:      
5   "ʺany  person  or  business  that  conducts  business  in  California,  and  that  owns  or     licenses  computerized  data  that  includes  personal  information,  [to]  disclose  any     breach  of  the  security  system…to  any  resident  of  California  whose  unencrypted     personal  information  was,  or  is  reasonably  believed  to  have  been,  acquired  by     an  unauthorized  person."ʺ         As  this  legislation  applies  only  to  “unencrypted  personal  information,”  in  order  to   avoid  liability  under  the  statute,  a  company  need  only  encrypt  computerized  non-­‐‑ public  information.  Additionally,  “unauthorized”  access  becomes  authorized  once   companies  require  need-­‐‑to-­‐‑know  permission  standards  through  the  establishment  of   passwords  and  mandatory  employee  training  on  information  security  standardsxviii .  We   applaud  this  groundbreaking  first  attempt  at  providing  incentive  to  companies  to   safeguard  the  data  of  their  clients.         Javelin  Strategy  and  Research  published  a  study  that  found  30%  of  consumers  (in  their   5  year  longitudinal  sample)  were  victims  of  data  breach,  with  only  6%  of  those  suffering   identity  fraudxix.  Thus,  notification  laws,  if  they  do  function  as  deterrents,  need  go  hand   in  hand  with  public  education.  That  is,  incidences  of  fraud  were  much  more  likely   (30%)  to  occur  due  to  lost  or  stolen  personal  items  (e.g.,  wallets),  suggesting  that  the   recent  public  hype  fed  by  media  attention  may  only  get  worse  if  every  time  a  breach   occurs  people  must  be  notified  by  law.  It  is  not  clear  whether  companies  are  releasing   data  breach  information  because  they  are  starting  to  be  more  vigilant  in  seeking   breaches  (presumable,  because  of  the  new  laws  in  some  states),  or  in  order  to  control   their  public  imagexx.  This  makes  it  difficult  to  attribute  the  sudden  increases  to  more   reporting,  or  whether  it  reveals  actual  new  vulnerabilities  in  data  processing  and   storage.       Approximately  44  states  now  have  notification  laws,  and  while  the  rationale  for  these   are  fundamentally  the  same,  the  details  widely  diverge.    Some  states  require  that  a   credit  card’s  access  code  be  divulged  to  justify  the  disclosure  of  breaches  (e.g.,   California’s),  while  this  is  not  so  in  the  Kansas  bill.  Only  some  require  the  secure   destruction  of  sensitive  data  on  paper.  Pennsylvania  considered  legislation  to  close  the   encryption  exemption,  requiring  disclosure  even  if  the  data  were  originally  encrypted.     Eighteen  states  deem  the  “belief”  (by  whom?)  that  stolen  data  will  “not  be  misused”  as   an  exemption;  and  others  exempt  disclosure  if  card  number  have  been  redacted  in   another  formxxi.  These  discrepancies  lead  to  public  relations  issues  when  disclosing  to   customers  in  some  states  but  not  others,  among  other  possible  confusions  nationwide.     We  feel  strongly  about  five  exemptions  to  disclosure.  Firstly,  in  order  not  to  unduly   alert  consumers,  if  card  numbers  cannot  be  linked  to  access  codes,  notification  need  not  
6 occur.  Secondly,  given  that  hackers  can  fool  their  way  into  encrypted  data,  and  that   encryption  is  not  the  end-­‐‑all  to  protection,  encryption  should  not  automatically  justify   an  exemption  (especially  if  access  cards  are  available).  Thirdly,  companies  may  not  self-­‐‑ exempt  disclosure  based  on  their  own  definition  of  what  can  and  cannot  be  “misused,”   but  may  do  so  when  independent  auditors  can  make  the  case  after  an  appropriate   assessment  of  risk  is  carried  out.  Fourthly,  redacted  data  should  be  exempt,  but  only  if   no  link  from  the  redacted  data  to  the  original  was  divulged.  And  fifthly,  third-­‐‑party   credit  card  processing  companies  cannot  indemnify  themselves  against  breaches  when   their  retail  clients  have  not  been  educated  regarding  the  storage  and  processing   characteristics  of  the  card-­‐‑reading  software  packages  utilized.  On  a  similar  note,  and  in   place  of  all  current  state  notification  laws,  is  the  opposite:  if  companies  outsource   customer  data  processing,  they  are  still  liable  for  how  that  data  is  processed  and  stored.           Should  those  whose  information  has  been  compromised  be  given  the  right  to  receive   compensation  for  damages,  and  what  actions  should  the  company  losing  the  data  be   required  to  take  to  minimize  damages?     Currently,  there  are  two  bills  active  in  the  Senate  (Leahy-­‐‑Specter’s  S.495;  and  Feinstein’s   S.239)  and  two  in  the  House  (Rush  and  Stearn’s  H.R.958;  and  Smith’s  H.R.  836)xxii.    The   main  issue  of  contention  in  many  of  these  bills  is  whether  consumer  notification  should   occur  given  a  “reasonable”  risk  of  harm,  or  whether  this  risk  need  qualify  as   “significant.”    In  either  case,  and  we  repeat,  this  risk  assessment  must  be  part  of  an   independent  inquiry,  and  make  up  one  of  many  other  more  objective  benchmarks  (e.g.,   as  listed  above),  that—taken  together—determine  whether  or  not  disclosure  is  the  most   prudent  path.    With  no  other  sanctions  in  place  for  a  breach  of  data,  it  is  imperative  that   companies—when  required  by  law  to  send  out  notification—are  also  implicated  by  law   in  offering  free  credit  monitoring  services  for  a  to-­‐‑be-­‐‑specified  number  of  years,   depending  on  the  breach  severity.  In  other  words,  we  are  of  the  opinion  that   notification  laws  are  in-­‐‑themselves  an  insufficient  deterrent,  albeit  a  necessary  action   towards  diminishing  security  fraud.         Notification  laws  are  an  insufficient  deterrent  on  multiple  grounds.  Firstly,  the  breach   may  occur  at  one  of  the  “back  office”  processing  companies  (e.g.,  data  couriers  or  data   brokers),  leading  to  consumer  confusion  regarding  whether  shopping  elsewhere   effectively  punishes  anybody.  Also,  with  larger  companies  such  as  banks,  consumers   not  only  fear  the  cost  of  changing  companies,  they  also  may  begin  to  feel  its   ineffectiveness,  assuming  all  such  companies  are  equally  likely  to  incur  a  breach.  As   with  the  media  hype,  consumers  begin  to  consider  breaches  “normal.”    Companies  
7 often  would  prefer  it  this  way,  as  breach  desensitization  leads  consumers  to  waive   market  punishment;  indeed,  many  feel  such  notices  would  lead  only  to  “crying  wolf,”   bringing  customers  to  ignore  such  warnings  wholesalexxiii.  For  instance,  TJX  Companies   Inc.  incurred  only  a  slight  dip  in  share  price  when  its  security  breach  was  announced  in   January  2007,  and  customers  expressed  lax  concern  given  its  low  prices  while  justifying   that  it  could  have  happened  to  any  company.  After  a  class  action  lawsuit  was  filed  a   few  weeks  later,  the  share  price  fellxxiv.  Consumers  also  feel  protected  by  the  cardholder   agreements  that  insulate  their  losses,  probably  forgetting  that  they  pay  for  these   through  increasing  fees;  nor  do  they  consider  the  extremely  arduous  process  of  identity   theft  recovery,  which  has  been  described  as  arduous  and  intimidatingxxv.  Thus,   notification  may  not  necessarily  function  as  an  indirect  form  of  consumer  sanction,  as  it   was  originally  conceived.     We  believe  the  courts  need  to  begin  to  consider  the  prospect  of  allowing  civil  liability   cases  to  be  heard  when  and  if  it  can  be  established  that,  had  the  breach  not  occurred,  the   theft  of  data  would  not  have  occurred.  This  causality  claim  has  not  done  well  in  court,   however,  as  the  customer  presumably  submits  the  very  data  lost  to  many  institutions   other  than  the  one  that  incurred  the  breach;  nor  can  it  be  established  that  identity  theft   is  an  event  that  ordinarily  does  not  take  place  when  a  company  has  not  been   negligentxxvi.  This  is  to  say,  data  security  negligence  does  not  ordinarily  lead  to  identity   theft.    Given  the  statistics,  that  seems  to  be  true,  despite  the  hype.  It  also  means  that  the   personal  information  may  have  been  shared  with  different  institutions  and  hence   misused  elsewhere,  invoking  no  liability  to  the  company  originally  responsible.  This  is   a  question  of  privacy  law,  which  we  will  come  to  next.  Torts  have  also  been  rejected  as  a   form  of  civil  liability  because  “actual  harm”  is  only  the  fear  of  the  possibility  of  future   harm,  and  so  this  argument  has  not  even  been  able  to  sustain  rewards  of  credit   monitoring  as  personal  compensation  for  a  breachxxvii.         Therefore,  we  believe  it  should  not  be  the  sole  job  of  courts  to  craft  solutions  for  each   and  every  case  of  identity  fraud.  Instead,  legislation  must  be  drafted  which  allows  the   pinpointing  of  responsibility  through  regulatory  standards.  More  stringent  rules  are   needed  to  motivate  businesses  to  comply  with  data  security  standards,  as  we  discussed   above.  Minnesota  was  the  first  state  to—in  addition  to  enticing  companies  to  change   through  the  notification  deterrent—also  decided  to  punish  companies  by  giving  PCI   standards  a  legal  standing.  The  Plastic  Card  Security  Actxxviii  makes  companies  that   process  more  than  20,000  transactions  annually  liable  to  banks  and  credit  unions  for  the   costs  of  credit  card  blocking  and  re-­‐‑issuance,  if  sensitive  information  is  found  to  be   stored  after  certain  limits,  something  that  PCI  explicitly  prohibitsxxix.  Massachusetts  has   a  similar  law,  which  includes  government  bodies  under  its  definition  of  “commercial   entityxxx.”  
8   Even  still,  this  may  not  be  enough  to  get  smaller  companies,  the  52%  cited  above  guilty   of  storing  sensitive  nonpublic  information,  to  comply.  Often,  these  smaller  companies   are  storing  data  without  even  knowing  it,  as  the  packaged  payment  applications  they   utilize  store  this  information  by  default.  For  this  reason,  we  are  urging  that  the  card   processing  (“back-­‐‑office”)  companies  that  distribute  these  packaged  programs  be  held   accountable  for  updating  software  packages  in  compliance  with  this  regulation,  as  well   as  educate  their  retail  clients  of  these  storage  regulations  in  order  to  indemnify   themselves  against  future  claims,  thereby  making  the  businesses  themselves   accountable  for  non-­‐‑compliance.  In  this  way,  we  have  argued,  liability  claims  are   allowed  to  trickle  down.    As  it  is,  many  smaller  businesses  are  being  fined  for  security   breaches  they  believed  to  have  made  a  sincere  attempt  to  control  through  firewall   protection  and  passwords.       Individuals  are  also  a  main  concern.  Notifications  need  to  come  with  clear  and  concise   information  for  how  the  breaching  institution  is  going  to  compensate  for  its  negligence,   not  just  a  vague  and  empty  informational  letter.  If  individuals  are  powerless  in  court,   even  as  a  class  action,  we  need  to  see  legislation  at  the  federal  level  that  not  only   protects  the  financial  institutions,  but  also  a  statutory  right  of  action  extended  to   consumers.  At  the  very  least,  laws  are  needed  that  require  as  part  of  notification  a  writ   of  guaranteed  credit  monitoring  services  which—in  the  case  of  credit  fraud—also  incur   all  personal  costs  and  troubles  associated  with  the  clearing  the  debts  and  accounts   created  by  the  thieves.  As  it  is,  the  Federal  Trade  Commission  advises  much  persistence   in  getting  local  and  state  police  sources  to  recognize  fraud,  a  step  necessary  to  get   collection  agencies  to  rescind  their  legal  duty  to  collectxxxi.  In  other  words,  businesses   should  not  just  be  held  responsible  for  ensuring  that  financial  institutions  are  covered  in   their  losses,  but  that  individuals  are  likewise  covered  for  the  costs  associated  with  both   future  credit  monitoring,  and  the  larger  personal  costs  associated  with  clearing  the   debts  and  accounts  created  by  the  thieves.    The  costs  of  credit  monitoring  should  be   borne  by  the  company,  such  that  incentive  is  created  to  re-­‐‑analyze  the  benefit  of   maintaining  personal  data  weighted  against  the  costs  of  possible  breaches  due  to   disorganization,  sloppy  internal  work  ethic,  file-­‐‑sharing  and  data  vending,  and  of   course  any  other  risk  associated  with  PCI  non-­‐‑compliance.    If  all  companies  are  under   the  same  level  of  regulation  at  each  level  in  the  system  (from  credit  card  agencies,  to   processing  companies,  to  retail  businesses)  to  ensure  that  they  are  PCI  compliant  at  the   least,  this  is  incentive  enough  for  motivating  businesses  to  work  harder  to  guarantee  a   secure  marketplace  in  which  to  do  business.            
9 Is  there  a  need  to  pass  consumer  privacy  laws  so  that  they  impose  fair  information   practices  upon  creators  of  databases  containing  confidential  information?     Data  managers  know  the  value  of  reusing  data.  However,  few  individuals  believe  that   the  personal  information  they  provide  is  and  can  be  bought  and  sold  as  a  good.  The   questions  above  deal  with  data  security  and  its  failure.  This  is  distinct  from  what   companies  can  legally  do  with  personal  information  once  they  have  it,  whether   individuals  are  aware  that  companies  are  even  gathering  information  about  them,  and   hence  what  rights  individuals  have  and  what  permissions  need  to  be  granted  regarding   its  ownership,  preservation  and  sharing.  Given  that  recent  news  regarding  data   breaches  are  waking  up  individuals,  privacy  groups  are  rethinking  the  implications  of   the  1974  Privacy  Actxxxii  and  the  meaning  of  its  “fair  information  practices”  given  the   expanding  intrusion  of  companies  and  government  as  a  result  of  the  free  flow  of   information  on  the  Internet.     The  USA  Patriot  Actxxxiii  began  an  era  of  increased  government  surveillance  once  again,   as  government  again  began  collecting  data  about  individuals  with  neither  consent  nor   recourse  to  oversight  or  legal  challenge.  In  the  European  Union,  on  the  other  hand,   personal  privacy  laws  are  relatively  advanced.    The  European  Commission  passed   Directive  95/46/EC  on  the  “Protection  of  Individuals  with  Regard  to  the  Processing  of   Personal  Data  and  on  the  Movement  of  Such  Dataxxxiv.    In  contradistinction,  the  U.S.  has   no  overarching  federal  policy,  preferring  instead  to  adopt  privacy  legislation  “as   needed,  ”  as  sectors  and  events  see  fit.  For  this  reason,  we  see  a  proliferation  of  acts,   such  as  the  Video  Protection  Actxxxv,  the  Cable  Television  Consumer  Protection  and   Competition  Actxxxvi,  the  Health  Insurance  Portability  and  Accountability  Act   (HIPAA)xxxvii,  the  Children'ʹs  Online  Privacy  Protection  Act  (COPPA)xxxviii ,  and  the  Fair   Credit  Reporting  Actxxxix,  among  others.  Former  President  Bill  Clinton  and  vice-­‐‑ President  Al  Gore  advised  in  their  “Framework  for  Global  Electronic  Commerce”  that   “the  private  sector  should  lead,”  “governments  should  avoid  undue  restrictions  on   electronic  commerce,”  and  ironically  even  that  “Electronic  Commerce  over  the  Internet   should  be  facilitated  on  a  global  basisxl.”         Advances  in  data  mining  allow  searching  for  correlations  and  patterns  amongst  data.   This  is  not  hypothetical  deduction,  as  in  science,  but  hypothetical  induction.  A  graduate   student,  for  example,  by  tracking  the  IP  fingerprints  across  millions  of  Wikipedia   entries,  traced  a  systematic  deletion  of  critical  information  regarding  e-­‐‑voting  machines,   from  the  very  company  producing  those  machinesxli.  A  Carnegie  Mellon  professor,   Latanya  Sweeny,  for  instance,  found  that  by  just  knowing  an  individual’s  postal  code   and  birth  data,  that  individual’s  personal  information  in  a  putatively  anonymous  public  
10 database  could  be  identified  with  69  percent  accuracy,  and  even  87  percent  if  the  gender   is  also  knownxlii.       Thus,  while  HIPAA  allows  a  small  portion  of  data  to  be  utilized  for  marketing  purposes   if  and  only  if  it  is  stripped  of  all  personal  identifiers,  data  miners  may  re-­‐‑identify  the   person  by  making  correlations  across  other  databases.  We  firstly  believe  that  federal   laws  regarding  information  as  sensitive  medical  data  should  in  no  way  ever  be   marketed.  Secondly,  if  the  U.S.  does  wish  to  continue  making  piecemeal  legislation  on   an  as  needed  basis,  basic  federal  rules  consistent  with  “fair  information  practices”   outlined  in  the  Privacy  Act  must  provide  the  unwavering  fundamentals  under  which   these  piecemeal  laws  must  conform.       There  are  also  recommendations  to  fight  data  mining  indirectly  xliii .  For  example,  after   records  have  been  de-­‐‑identified,  average  values  for  fields  (across  five  to  ten  records)  or   known  amounts  of  random  noise  could  be  used,  or  random  amount  of  noise  could  be   introduced  across  all  records.    Both  methods  would  allow  for  data-­‐‑analytic  breakdown   and  accurate  analyses  by  researchers  or  marketers  wishing  to  use  it  in  their  studies.   This,  however,  while  it  is  a  form  of  data  encryption,  does  not  solve  the  more   fundamental  problem  of  personal  rights  of  privacy  we  endorse  in  this  paper.       For  one,  we  call  for  a  strict  opt-­‐‑in  policy  for  any  data  sharing  and  marketing.    That  is  to   say,  it  is  a  dangerous  default  and  precedent  to  begin  requiring  individuals  to  take  active   measures  themselves  to  investigate  and  inform  themselves  regarding  what  a  company’s   plan  is  for  the  data  they  provide.  If  that  plan  is  mere  storage,  users  may  be  presented   with  an  opt-­‐‑out  option;  but  only  in  this  case.  And  when  the  case,  consumers  should  not   have  to  take  active  steps  to  opt-­‐‑out.  On  the  other  hand,  if  the  company’s  plan  is  to  share,   sell,  or  market  the  data  at  any  time,  consumers  must  be  provided  with  an  opt-­‐‑in  option   up  front,  with  a  summarized  and  understandable  (i.e.,  not  legalese)  terms  of  the  plans.   Additionally,  these  may  not  be  guised  through  formats  such  as  opting-­‐‑in  or  -­‐‑out  of   newsletters  or  updates  (a.k.a.  spam).  This  form  of  opting-­‐‑in  or  –out,  whichever  the  case,   must  also  be  made  more  robust  and  not  depend  on  cookies,  which  upon  deletion   (accidental  or  intentional)  often  render  such  agreements  void.       Such  legislation  must  be  passed  that  resists  attempts  by  private  industry  lobbyists  to   influence  these  fundamental  protections.  Of  course,  given  the  proliferation  of  Acts,  it  is   difficult  to  make  a  wholesale  rejection  of  the  current  U.S.  implementation  of  data   privacy  laws  on  a  sector-­‐‑by-­‐‑sector  basis.  For  this  reason,  we  call  for  an  overreaching   federal  policy  that  at  least  sets  guidelines  and  fundamentals,  as  is  done  in  the  European   Union,  and  insists  that  data  protectors  are  employed  to  ensure  compliance.  Sector  by   sector  acts  may  vary,  but  may  not  violate  these—what  should  be  considered—inviolate  
11 privacy  protections  in  today’s  age  of  information.  They  provide  the  control  users  have  a   right  to  feel  against  their  fears—however  irrational  they  may  or  may  not  be—of  data   breaches,  which  notification  laws  are  just  now  making  more  salient.    They  also  reduce   the  secondary  and  indirect  need  for  database  managers  to  add  noise  or  aggregate  data,   or  the  Safe  Harbor  agreements  that  provides  Europeans  protections  that  accord  with   fair  information  policies,  while  denying  U.S.  citizens  the  same  privacy  assumptions.   While  we  are  not  opposed  to  recent  efforts  by  industry-­‐‑led  efforts  to  secure  a   standardized  set  of  policy  rules,  as  Trust-­‐‑e  and  P3Pxliv  have  done  (and  indeed  applaud   the  effort),  we  still  argue  the  most  basic  privacy  disclosures  should  be  a  fundamental   right  of  individuals,  such  that  these  standards  are  required  under  law.       Conclusion       Due  to  recent  notification  laws,  data  breaches  have  penetrated  the  public  conscious.   Notification  laws  are  an  effective  step  in  providing  incentive  to  companies  to  protect   their  databases  with  rigor.  These  may  be  insufficient,  nevertheless,  and  must   accompany  campaigns  to  balance  the  hype  such  initiatives  create  with  education   regarding  the  real  causes  of  breaches.  Companies  at  each  level  of  credit  card   transactions  must  also  incur,  through  federal  regulation,  the  costs  associated  with   breaches  of  non-­‐‑public  personal  information.  Incentive  thus  must  be  paired  with   consequences,  such  that  companies,  even  small  companies,  are  educated  regarding  data   security  standards,  whereby  not  knowing  is  sufficient  reason  for  assigning  blame  not   just  in  the  legal  system  (if  necessary),  but  at  a  federal  regulatory  level.  In  addition,   security  must  go  hand  in  hand  with  privacy.  Breaches  of  public  information,  while   often  workplace  negligence,  are  also  a  reality  due  to  lax  standards  harnessed  through   private  sector  lobbying  that  allow  data  sharing,  selling  and  marketing  without  the   consumers  informed  consent.  These  are  trends  that  must  reverse  if  the  United  States  is   to  compete  globally,  and  provide  its  own  citizens  with  privacy  protections  both  it  and   the  EU  grants  to  citizens  of  Europe.  Opting-­‐‑out  should  not  be  entrenched  in  the  public   mind  as  a  default,  whereby  individuals  must  act  to  protect  themselves.  Privacy   protections  at  the  individual  level  should  be  pre-­‐‑supposed.                   Footnotes  
12 i Privacy Rights Clearinghouse (July 11, 2008). A chronology of data breaches. http://www.privacyrights.org/ar/ChronDataBreaches.htm. ii Poneman Institute (Novermber 28, 2007). Ponemon study shows data breach costs continue to rise. http://www.pgp.com/newsroom/mediareleases/ponemon-us.html. iii Krebs, Brian (July 1, 2008). Washington Post. Data breaches are up 68% this year, nonprofit says. http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html. iv Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million. http://www.networkworld.com/news/2006/110206-data-breach-cost.html. v Data Loss Archive and Database (DLDOS). http://attrition.org/dataloss/. See also ibid. vi Ponemon Institute and RedCannon Security (Dec, 2007). Survey of US IT practitioners reveals data security policies not enforced. http://www.redcannon.com/news_and_events/press_release_ponemon.html. vii S.B. 1386, codified in Cal. Civ. Code § 1798.82. A description of this law can be found at www.privacyrights.org/ar/SecurityBreach.htm. viii For a chart of state-by-state legislation, see http://www.digestiblelaw.com/files/upload/securitybreach.pdf. ix Katz, M. L. (2008). Data security: Into the breach. The Maryland Bar Journal, 41(1). x Safeguards Rule: Laws and Rules. Pub. L. No. 106-102, Title V Subtitle A. See http://www.ftc.gov/privacy/privacyinitiatives/safeguards_lr.html. xi Allan, Danny (June, 2008). Payment card industry mandate stresses importance of web application security: Recommended becomes required. http://www.net-security.org/article.php?id=1143&p=1. See also PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. xii Finextra.com (September, 2006). Data breach hype is misleading consumers—study. http://www.finextra.com/fullstory.asp?id=15860. xiii Ibid. Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million. http://www.networkworld.com/news/2006/110206-data-breach-cost.html. xiv see Rustad, M. L. & Koenig, T. H. (2005). Rebooting cybertort law. Washington Law Review Association, 80. xv Sidel, Robin (September 2007). In data leaks, culprits often are Mom, Pop. http://online.wsj.com/article/SB119042666704635941.html?mod=sphere_ts. xvi Schwartz, P. & Janger, E. (2007). Notification of data security breaches. Michigan Law Review, 105. See also Picanso, K. E. (2006). Protecting information security under a data breach notification law. Fordham Law Review, 75. xvii SB  1386,  codified  as  Civil  Code  §  1798.82,  et  seq. xviii Brelsford, James F. (September 2003). California raises bar on data security and privacy. FindLaw. http://library.findlaw.com/2003/Sep/30/133060.html. xix Javelin Strategy and Research (June 2008). New Javelin reearch pinpoints how institutions should respond to data breaches. http://www.javelinstrategy.com/2008/06/23/debix_06_23_08/. xx Says Linda Foley of the Identity Theft Resource Center, http://www.idtheftcenter.org/. Reported in Krebs, Brian (July 2008). Data breaches are up 69% this year, nonprofit says. Washington Post. http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html. xxi Alexander, Philip (April 2007). Data breach notification laws: A state by state perspective. Intelligent Enterprise. http://www.intelligententerprise.com/channels/information_management/showArticle.jhtml?articleID=198800638. xxii For all the details regarding each of these bills, see the Privacy and Security Law Blog at http://www.privsecblog.com/archives/federal-legislation-pending-privacy-and-data-security-legislation-in-the- 110th-congress.html. xxiii Schwartz & Janger, ibid. For a set of economic arguments, see Romanosky S., Telang R. & Acquisti, A. (2008). Do data breach disclosure laws reduce theft? Seventh Workshop on the Economics of Information Security. xxiv Wiltshire, Elaine (2007). Cyber-enemy at the gates. The bottom line, 24(8). http://www.thebottomlinenews.ca/index.php?articleid=242&section=article xxv Federal Trade Commission. Defend: Recover from identity fraud. http://ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html#Whatisanidentitytheftreport. xxvi Chandler, J. (2008). Negligence liability for breaches of data security. Banking and Finance Law Review, 23(2). xxvii Chandler, J. (2008), ibid. xxviii Minnesota Statute 325E.64 Access devices; breach of security (2007). https://www.revisor.leg.state.mn.us/statutes/?id=325E.64&year=2007&keyword_type=all&keyword=security+breac h+liability.
13 xxix Vijayan, Jaikumar (May 2007). Minnesota gives PCI rules a legal standing. Computer World. http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=standards_and_legal_iss ues&articleId=293804&taxonomyId=146. xxx Massachusetts House Bill No. 213 (2007). http://www.mass.gov/legis/bills/house/185/ht00pdf/ht00213.pdf xxxi Federal Trade Commission. Defend: Recover from identity theft. http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html. xxxii P.L. 93-579, 88 Stat. 1897, 5 U.S.C. § 552a (1974). xxxiii P.L. 107-56, 115 Stat. 272 (2001), then later P.L. 109-77 (2006). xxxiv Directive  95/46/EC  was  implemented  in  1995  by  the  European  Commission.   http://www.cdt.org/privacy/eudirective/EU_Directive_.html.     xxxv 18 U.S.C. § 2710 (2002). http://epic.org/privacy/vppa/. xxxvi P.L.102-385 (2002). http://projects.washingtonpost.com/congress/102/bills/s_12/. xxxvii P.L. 104-191 (1996). http://www.ihs.gov/AdminMngrResources/HIPAA/. xxxviii 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728 (2000). http://epic.org/privacy/kids/. xxxix 15 U.S.C. § 1681 et seq (1996). http://www.consumersunion.org/pub/core_financial_services/000745.html. xl A Framework for Global Electronic Commerce, The White House (July 1997). http://www.technology.gov/digeconomy/framewrk.htm. xli Borland, J. (August 2007). See who’s editing Wikipedia—Diebold, the CIA, a campaign. Wired. http://www.wired.com/politics/onlinerights/news/2007/08/wiki_tracker. xlii Reported in Edelstein, H. & Millenstein, J. (Dec 2003). DM Review Magazine. http://www.dmreview.com/issues/20031201/7768-1.html. xliii For example, see again Edelstein, H. & Millenstein, J. ibid. xliv See www.truste.org and www.w3.org/P3P respectively.

More Related Content

PDF
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
PDF
Rapid7 Report: Data Breaches in the Government Sector
Rapid7
 
PDF
Protecting Patient Health Information in the HITECH Era
Rapid7
 
PDF
IT Security in Higher Education
Rapid7
 
PDF
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
DOCX
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
PDF
Law_Firm_Info_Security_Report_June2011 (1)
Aspiration Software LLC
 
PDF
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7
 
Protecting Patient Health Information in the HITECH Era
Rapid7
 
IT Security in Higher Education
Rapid7
 
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
Law_Firm_Info_Security_Report_June2011 (1)
Aspiration Software LLC
 
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 

What's hot (20)

PPT
Consumer Privacy
Ashish Jain
 
PPTX
Legal issues in technology
EzraGray1
 
PDF
Cybercrime and the Healthcare Industry
EMC
 
PDF
Data Breach Insurance - Optometric Protector Plan
sarahb171
 
PPTX
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
PDF
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
PDF
Data Security and Privacy Under The Compliance Spotlight April 2014
Adriana Sanford
 
PDF
SayanMitra.pdf
TanayMalhotra
 
PDF
Data Privacy
cliff_rudolph
 
PDF
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
PDF
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 
PDF
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
Cédric Laurant
 
PPT
S719a
ecommerce
 
PPT
Accounting
jerryrabin
 
PDF
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
PDF
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
PDF
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Financial Poise
 
PDF
Data & Privacy: Striking the Right Balance - Jonny Leroy
Thoughtworks
 
PPTX
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
PDF
Eamonn O Raghallaigh Major Security Issues In E Commerce
EamonnORagh
 
Consumer Privacy
Ashish Jain
 
Legal issues in technology
EzraGray1
 
Cybercrime and the Healthcare Industry
EMC
 
Data Breach Insurance - Optometric Protector Plan
sarahb171
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Adriana Sanford
 
SayanMitra.pdf
TanayMalhotra
 
Data Privacy
cliff_rudolph
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
Cédric Laurant
 
S719a
ecommerce
 
Accounting
jerryrabin
 
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Financial Poise
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Thoughtworks
 
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
EamonnORagh
 
Ad

Viewers also liked (8)

PPT
ΟΝΝΕΔ - Οι προτάσεις μας για τα ΤΟΣΥΝ
vmamatsios
 
PDF
Disruptive technologies: Prediction or just recommendations?
sstose
 
PDF
Web classification of Digital Libraries using GATE Machine Learning  
sstose
 
PDF
A comparison of two digital libraries based on pre-established criteria
sstose
 
PDF
Christine Madsen interview
sstose
 
DOC
Nyt p-ga-01 prosedur teknologi informasi
Amelia Fitri
 
PDF
Government Information
sstose
 
PDF
The Semantic Web in Digital Libraries: A Literature Review
sstose
 
ΟΝΝΕΔ - Οι προτάσεις μας για τα ΤΟΣΥΝ
vmamatsios
 
Disruptive technologies: Prediction or just recommendations?
sstose
 
Web classification of Digital Libraries using GATE Machine Learning  
sstose
 
A comparison of two digital libraries based on pre-established criteria
sstose
 
Christine Madsen interview
sstose
 
Nyt p-ga-01 prosedur teknologi informasi
Amelia Fitri
 
Government Information
sstose
 
The Semantic Web in Digital Libraries: A Literature Review
sstose
 
Ad

Similar to Data Breaches (20)

PPT
Data breach protection from a DB2 perspective
Craig Mullins
 
PDF
wp-follow-the-data
Numaan Huq
 
PPT
George Gavras 2010 Fowler Seminar
Don Grauel
 
PDF
Issue Paper Year Of The Breach Final 021706
Carolyn Kopf
 
PDF
Axxera End Point Security Protection
Shawn Crimson
 
PDF
wp-analyzing-breaches-by-industry
Numaan Huq
 
PDF
Data Security Regulatory Lansdcape
Brian Bauer
 
PDF
Sept 2012 data security & cyber liability
DFickett
 
PPT
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
PDF
Co3 rsc r5
Patrick Florer
 
PPTX
Deconstructing Data Breach Cost
Resilient Systems
 
PDF
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
PPTX
Data Privacy Introduction
Prachi Gulihar
 
PDF
Data breaches at home and abroad
Law Practice Strategy
 
PDF
Privacy Management System: Protect Data or Perish
RSIS International
 
PDF
IDT Red Flags White Paper By Wrf
Bucacci Business Solutions
 
PPTX
NumaanHuq_Hackfest2015
Numaan Huq
 
PPTX
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
PPTX
Cybersecurity Seminar March 2015
Lawley Insurance
 
PDF
databreach whitepaper
Paige Schaffer
 
Data breach protection from a DB2 perspective
Craig Mullins
 
wp-follow-the-data
Numaan Huq
 
George Gavras 2010 Fowler Seminar
Don Grauel
 
Issue Paper Year Of The Breach Final 021706
Carolyn Kopf
 
Axxera End Point Security Protection
Shawn Crimson
 
wp-analyzing-breaches-by-industry
Numaan Huq
 
Data Security Regulatory Lansdcape
Brian Bauer
 
Sept 2012 data security & cyber liability
DFickett
 
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
Co3 rsc r5
Patrick Florer
 
Deconstructing Data Breach Cost
Resilient Systems
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
Data Privacy Introduction
Prachi Gulihar
 
Data breaches at home and abroad
Law Practice Strategy
 
Privacy Management System: Protect Data or Perish
RSIS International
 
IDT Red Flags White Paper By Wrf
Bucacci Business Solutions
 
NumaanHuq_Hackfest2015
Numaan Huq
 
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
Cybersecurity Seminar March 2015
Lawley Insurance
 
databreach whitepaper
Paige Schaffer
 

Data Breaches

  • 1. Stephen J. Stose IST 618--Dr. Thomas Martin Syracuse University School of Information Studies Summer 2008   Data  Breaches     “Over  233  million  data  records  of  U.S.  residents  have  been  exposed  due  to  security   breaches  since  Jan  05i.”     Background   The  Ponemon  Institute,  a  company  dedicated  to  advancing  responsible  information   management  policies,  reports  that  companies  in  2007  spent  an  average  of  6.3  million   dollars  in  costs  associated  with  lost  or  stolen  data,  a  30%  increase  over  the  preceding   yearii.  This  means  an  average  cost  of  $197  per  compromised  record,  up  from  $182.    In   2008,  the  Identity  Theft  Resource  Center  reports  a  69%  increase  in  data  breaches,  20%  of   which  constitute  lost  or  stolen  devices,  and  15%  constituting  “inadvertent  posting.iii”   The  Ponemon  Institute  reports  even  higher  figures  for  lost  or  stolen  devices:  49%  in   2006iv.  Indeed,  Attrition.org  maintains  an  updated  list  of  these  breaches.  Perusing  the   list,  these  and  other  forms  of  negligence,  such  as  improperly  stored  and/or  transmitted   data,  comprise  the  surprising  majority  of  casesv.  Indeed,  current  workplace  habits  such   as  downloading  or  copying  confidential  records  onto  personal  devices,  turning  off   security  settings  or  firewalls,  sharing  passwords,  or  sending  attachments  to  home   computers  are  commonvi.       These  increases  are  startling,  but  may  be  attributed  to  a  higher  incidence  of  reporting   the  occurrence  of  breaches.  Since  California’s  security  breach  notification  legislation   came  into  effect  in  2003vii,  many  states  now  have  similar  notification  laws,  and   companies  are  now  considering  their  effectsviii .  The  U.S.  (contrary  to  the  E.U.)  has  no   overarching  law  that  governs  how  the  private  sector  uses  and  protects  personal   information.  Instead,  it  promotes  industry  self-­‐‑regulation  through  privacy  and   technology  statements,  and  opt-­‐‑out  standards  that  apply  in  a  patchwork  fashion   depending  on  the  types  and  uses  of  information  collected  and  storedix.  Two  possible   effects  state  notification  laws  have  in  common  are:  1)  loss  of  reputation  and  hence   market  share,  and  2)  customer  re-­‐‑assessment  of  risk  in  doing  business  with  the  chosen   entity.    We  will  argue  in  another  section  that  notification  laws  are  not  sufficient  to  deter   substandard  data  security.  Additionally,  these  measures,  while  seeking  to  indemnify   customers  against  actual  breaches,  may  do  nothing  to  prevent  the  breach  in  the  first   place.       The  Gramm-­‐‑Leach-­‐‑Bliley  Actx  is  a  federal  regulation  to  prevent  fraudulent  access  to   financial  information  through  impersonation,  phone,  mail,  email,  or  phishing  (15  U.S.C.  
  • 2. 2 §  6821-­‐‑6827);  it  also  requires  that  institutions  have  information  security  plans  enacted   that  specify  how  a  company  will  protect  and  ensure  the  privacy  of  non-­‐‑public  personal   information  (15  U.S.C.  §  6801-­‐‑6809).    These  regulations  apply  only  to  financial   institutions,  however,  and  not  to  general  small  businesses,  e-­‐‑commerce  or  social-­‐‑ networking  transactions.       We  believe  other  such  over-­‐‑arching  regulation  needs  to  be  developed  federally  that   covers  all  information  collection  endeavors  in  the  new  age  of  electronic  transmissions.   This  should  include  data  security  and  breach-­‐‑notification  laws,  rules  that  specify   penalties  for  breaches,  and  strong  privacy  laws  requiring  companies  to  disclose  their   privacy  statements  along  with  assumptions  of  transparency.  The  default,  we  believe   should  be  more  akin  to  opt-­‐‑in;  that  is  to  say,  consumers  should  not  be  required  to  work   to  keep  their  data  secure  and  private.       Perspective     The  paper  is  written  from  the  perspective  of  an  information  professional,  as  well  as  a   daily  participant  in  the  new  world  of  electronic  communication  and  commerce.    My   background  as  a  social  scientist  enables  me  a  high  level  of  analysis  into  pertinent  issues   of  data  and  its  importance  to  the  livelihood  of  conducting  business  and  commerce,   while  still  respecting  fundamentally  human  aspects  of  rights  to  privacy,  data  protection,   and  security.  These  beliefs  are  fundamental  to  this  analysis,  and  it  attempts  to  uphold   the  1974  Privacy  Act  as  close  to  the  letter  as  possible,  despite  trends  that  continue  to  the   contrary.  Nevertheless,  it  attempts  to  adapt  itself  to  current  realities,  while  still  making   recommendations  believed  to  create  a  stronger,  safer  and  more  human  system  of   electronic  communications  and  commerce.         Issue  Questions     The  issues  I  will  address  in  this  paper  are:     1. Is  there  a  need  for  legislation  to  ensure  that  confidential  information  is  stored   securely  so  that  the  incidence  of  data  breaches  can  be  reduced?   2. When  should  those  whose  data  has  been  compromised  be  notified  of  a  data   breach?   3. Should  those  whose  information  has  been  compromised  be  given  the  right  to   receive  compensation  for  damages,  and  what  actions  should  the  company   losing  the  data  be  required  to  take  to  minimize  damages?  
  • 3. 3 4. Is  there  a  need  to  pass  consumer  privacy  laws  so  that  they  impose  fair   information  practices  upon  creators  of  databases  containing  confidential   information?       Is  there  a  need  for  legislation  to  ensure  that  confidential  information  is  stored   securely  so  that  the  incidence  of  data  breaches  can  be  reduced?       One  standard,  developed  by  the  various  credit  card  companies,  is  called  the  Payment   Card  Industry  Data  Security  Standard  (PCI  DSS).  This  is  now  a  mandatory  twelve-­‐‑step   global  standard  that  ensures  the  protection  of  all  cardholder  data,  and  requires  external   auditing  if  a  company  processes  over  80,000  transactions  annuallyxi.  Smaller  companies   are  required  to  perform  self-­‐‑assessments.  With  the  bad  press,  many  companies  are  now   taking  these  assessments  seriously,  in  order  to  avoid  the  new  disclosure  laws  in  several   states  requiring  both  individual  and  at  times  mass  media  notification  of  breaches.       Many,  however,  argue  that  only  six  percent  of  all  known  cases  of  identity  theft  or  fraud   are  attributable  to  data  breaches,  and  that  consumers  are  being  misled  about  ways  to   prevent  theftxii.    We  agree  that  the  recent  data  breach  hype,  as  well  as  the  trend  towards   notification  laws,  is  desensitizing  individuals  to  its  inevitability  and  occurrence.  The   same  misunderstanding  occurs  when  individuals  believe  hackers,  malicious  code  and   malicious  insiders  are  responsible  for  data  breaches,  when  in  reality  they  only  account   for  10%,  6%  and  6%  of  breaches  respectivelyxiii.       Thus,  we  want  to  stress  the  creation  of  legislation  that  prevents  not  just  malicious   attacks  (which  occur  in  any  system,  regardless  of  its  security),  but  protects  consumers   against  the  creeping  desensitization  of  the  inevitability  of  a  data  breaches,  such  that  the   primary  concern  is  not  what  to  do  when  it  occurs,  but  stresses  the  fact  that  the  majority   of  breaches  occur  almost  accidentally,  due  to  negligence  and  poor  internal  management   policies.  Making  the  PCI  standard  part  of  federal  legislation,  perhaps  as  a  part  of  the   current  notification  legislation  we  will  discuss  soon,  will  serve  to  prevent  data  mis-­‐‑ management,  such  that  fraud  and  theft  are  no  longer  an  easy  option.  This  legislation,   we  believe,  should  include  an  allowance  for  businesses  that  manage  data  to  be  brought   into  civil  liability  class  action  suits  that  up  until  now  have  been  rejected  due  to  no   “actual  harm”  claims.  Thus,  we  argue  that  tort  law  needs  to  catch  up  with  the  today’s   increasing  occurrence  of  internet-­‐‑based  harmsxiv,  and  impose  weak  liability  sanctions  on   businesses  that  themselves  have  no  active  sanctions  in  place  for  the  negligent  behavior   of  its  data  managers  and  staff  with  access  to  database  records.      
  • 4. 4 Additionally,  since  most  data  breaches  are  occurring  at  the  mom-­‐‑and-­‐‑pop  shop  level,  as   they  make  up  over  85%  of  credit  card  transactions  nationwide,  local  business  bureaus   should  have  education  plans  mandated  for  existing  companies.  It  was  found  that  of  600   companies  with  250  employees  or  fewer,  52%  of  them  were  unknowably  storing   sensitive  customer  information  on  their  systemsxv.  Thus,  it  seems  that  the  credit  card   processing  companies  must  be  held  liable  for  the  education  of  their  clients  regarding   PCI  standards;  that  is,  small  businesses  must  be  indemnified  if  such  standards  were  not   made  apparent  in  their  contracts,  and/or  if  they  are  PCI  compliant.  However,  if  data  is   lost,  identifiable  during  transmission,  or  posted;  or  if  a  device  with  data  is  lost  or  mis-­‐‑ managed,  sanctions  for  negligence  should  be  in  place.    In  this  respect,  incentives  at  the   individual  and  small  business  level  for  preventing  security  breaches  before  they  occur   would  complement  the  punishments  companies  fear  after  they  occur  through  the   notification  laws  in  effect  today.    Such  security  regulations  that  trickle  down  to  the  local   level  should  reduce  the  incidence  of  data  breaches,  and  not  just  compensate  for  a  loss   that  ought  not  to  have  occurred  in  the  first  place.       Thus,  proper  regulations  will  hopefully  make  companies  rethink  whether  administering   database  records  of  their  clients  outweigh  the  risks  associated  with  the  sanctions  in   place  of  not  having  a  proper  security  system  installed  that  is  PCI  compliant,  and   outweighs  the  risks  of  the  sanctions  we  will  discuss  below  when  and  if  a  security  breach   does  occur.  The  goal  of  this  will  be  to  force  companies  to  take  the  storage  and   processing  of  personal  data  seriously,  and  perhaps  create  innovation  to  begin  using   internally  developed  identification  numbers  that  replace  other  forms  of  identification   (e.g.,  social  security  number)  when  tracking  customer  data.         When  should  those  whose  data  has  been  compromised  be  notified  of  a  data  breach?     The  first  assumption  that  data  breach  notification  legislation  makes  is  that  companies— to  avoid  being  the  bearer  of  bad  news  to  customers,  and  hence  reduce  their  confidence   in  the  services  it  offers—will  take  steps  to  deter  security  breaches  from  first  occurring.   The  second  is  that  through  notification,  customers  may  re-­‐‑assess  the  cost-­‐‑benefit  of   continuing  a  relationship  with  the  company.  Whether  or  not  these  assumptions,  which   guide  the  recent  efforts  of  state  legislation,  actually  serve  as  a  deterrent  has  been  the   subject  of  much  academic  speculationxvi.    We  will  side  with  the  opinion  that  disclosure   laws,  while  absolutely  necessary  for  upholding  an  individual’s  rights  to  privacy,  are  not   sufficient  deterrents  in  themselves.  California  began  the  trend,  and  enacted  two  pieces   of  consumer  rights  legislation  in  2003.  The  security  breach  statutexvii  requires:      
  • 5. 5   "ʺany  person  or  business  that  conducts  business  in  California,  and  that  owns  or     licenses  computerized  data  that  includes  personal  information,  [to]  disclose  any     breach  of  the  security  system…to  any  resident  of  California  whose  unencrypted     personal  information  was,  or  is  reasonably  believed  to  have  been,  acquired  by     an  unauthorized  person."ʺ         As  this  legislation  applies  only  to  “unencrypted  personal  information,”  in  order  to   avoid  liability  under  the  statute,  a  company  need  only  encrypt  computerized  non-­‐‑ public  information.  Additionally,  “unauthorized”  access  becomes  authorized  once   companies  require  need-­‐‑to-­‐‑know  permission  standards  through  the  establishment  of   passwords  and  mandatory  employee  training  on  information  security  standardsxviii .  We   applaud  this  groundbreaking  first  attempt  at  providing  incentive  to  companies  to   safeguard  the  data  of  their  clients.         Javelin  Strategy  and  Research  published  a  study  that  found  30%  of  consumers  (in  their   5  year  longitudinal  sample)  were  victims  of  data  breach,  with  only  6%  of  those  suffering   identity  fraudxix.  Thus,  notification  laws,  if  they  do  function  as  deterrents,  need  go  hand   in  hand  with  public  education.  That  is,  incidences  of  fraud  were  much  more  likely   (30%)  to  occur  due  to  lost  or  stolen  personal  items  (e.g.,  wallets),  suggesting  that  the   recent  public  hype  fed  by  media  attention  may  only  get  worse  if  every  time  a  breach   occurs  people  must  be  notified  by  law.  It  is  not  clear  whether  companies  are  releasing   data  breach  information  because  they  are  starting  to  be  more  vigilant  in  seeking   breaches  (presumable,  because  of  the  new  laws  in  some  states),  or  in  order  to  control   their  public  imagexx.  This  makes  it  difficult  to  attribute  the  sudden  increases  to  more   reporting,  or  whether  it  reveals  actual  new  vulnerabilities  in  data  processing  and   storage.       Approximately  44  states  now  have  notification  laws,  and  while  the  rationale  for  these   are  fundamentally  the  same,  the  details  widely  diverge.    Some  states  require  that  a   credit  card’s  access  code  be  divulged  to  justify  the  disclosure  of  breaches  (e.g.,   California’s),  while  this  is  not  so  in  the  Kansas  bill.  Only  some  require  the  secure   destruction  of  sensitive  data  on  paper.  Pennsylvania  considered  legislation  to  close  the   encryption  exemption,  requiring  disclosure  even  if  the  data  were  originally  encrypted.     Eighteen  states  deem  the  “belief”  (by  whom?)  that  stolen  data  will  “not  be  misused”  as   an  exemption;  and  others  exempt  disclosure  if  card  number  have  been  redacted  in   another  formxxi.  These  discrepancies  lead  to  public  relations  issues  when  disclosing  to   customers  in  some  states  but  not  others,  among  other  possible  confusions  nationwide.     We  feel  strongly  about  five  exemptions  to  disclosure.  Firstly,  in  order  not  to  unduly   alert  consumers,  if  card  numbers  cannot  be  linked  to  access  codes,  notification  need  not  
  • 6. 6 occur.  Secondly,  given  that  hackers  can  fool  their  way  into  encrypted  data,  and  that   encryption  is  not  the  end-­‐‑all  to  protection,  encryption  should  not  automatically  justify   an  exemption  (especially  if  access  cards  are  available).  Thirdly,  companies  may  not  self-­‐‑ exempt  disclosure  based  on  their  own  definition  of  what  can  and  cannot  be  “misused,”   but  may  do  so  when  independent  auditors  can  make  the  case  after  an  appropriate   assessment  of  risk  is  carried  out.  Fourthly,  redacted  data  should  be  exempt,  but  only  if   no  link  from  the  redacted  data  to  the  original  was  divulged.  And  fifthly,  third-­‐‑party   credit  card  processing  companies  cannot  indemnify  themselves  against  breaches  when   their  retail  clients  have  not  been  educated  regarding  the  storage  and  processing   characteristics  of  the  card-­‐‑reading  software  packages  utilized.  On  a  similar  note,  and  in   place  of  all  current  state  notification  laws,  is  the  opposite:  if  companies  outsource   customer  data  processing,  they  are  still  liable  for  how  that  data  is  processed  and  stored.           Should  those  whose  information  has  been  compromised  be  given  the  right  to  receive   compensation  for  damages,  and  what  actions  should  the  company  losing  the  data  be   required  to  take  to  minimize  damages?     Currently,  there  are  two  bills  active  in  the  Senate  (Leahy-­‐‑Specter’s  S.495;  and  Feinstein’s   S.239)  and  two  in  the  House  (Rush  and  Stearn’s  H.R.958;  and  Smith’s  H.R.  836)xxii.    The   main  issue  of  contention  in  many  of  these  bills  is  whether  consumer  notification  should   occur  given  a  “reasonable”  risk  of  harm,  or  whether  this  risk  need  qualify  as   “significant.”    In  either  case,  and  we  repeat,  this  risk  assessment  must  be  part  of  an   independent  inquiry,  and  make  up  one  of  many  other  more  objective  benchmarks  (e.g.,   as  listed  above),  that—taken  together—determine  whether  or  not  disclosure  is  the  most   prudent  path.    With  no  other  sanctions  in  place  for  a  breach  of  data,  it  is  imperative  that   companies—when  required  by  law  to  send  out  notification—are  also  implicated  by  law   in  offering  free  credit  monitoring  services  for  a  to-­‐‑be-­‐‑specified  number  of  years,   depending  on  the  breach  severity.  In  other  words,  we  are  of  the  opinion  that   notification  laws  are  in-­‐‑themselves  an  insufficient  deterrent,  albeit  a  necessary  action   towards  diminishing  security  fraud.         Notification  laws  are  an  insufficient  deterrent  on  multiple  grounds.  Firstly,  the  breach   may  occur  at  one  of  the  “back  office”  processing  companies  (e.g.,  data  couriers  or  data   brokers),  leading  to  consumer  confusion  regarding  whether  shopping  elsewhere   effectively  punishes  anybody.  Also,  with  larger  companies  such  as  banks,  consumers   not  only  fear  the  cost  of  changing  companies,  they  also  may  begin  to  feel  its   ineffectiveness,  assuming  all  such  companies  are  equally  likely  to  incur  a  breach.  As   with  the  media  hype,  consumers  begin  to  consider  breaches  “normal.”    Companies  
  • 7. 7 often  would  prefer  it  this  way,  as  breach  desensitization  leads  consumers  to  waive   market  punishment;  indeed,  many  feel  such  notices  would  lead  only  to  “crying  wolf,”   bringing  customers  to  ignore  such  warnings  wholesalexxiii.  For  instance,  TJX  Companies   Inc.  incurred  only  a  slight  dip  in  share  price  when  its  security  breach  was  announced  in   January  2007,  and  customers  expressed  lax  concern  given  its  low  prices  while  justifying   that  it  could  have  happened  to  any  company.  After  a  class  action  lawsuit  was  filed  a   few  weeks  later,  the  share  price  fellxxiv.  Consumers  also  feel  protected  by  the  cardholder   agreements  that  insulate  their  losses,  probably  forgetting  that  they  pay  for  these   through  increasing  fees;  nor  do  they  consider  the  extremely  arduous  process  of  identity   theft  recovery,  which  has  been  described  as  arduous  and  intimidatingxxv.  Thus,   notification  may  not  necessarily  function  as  an  indirect  form  of  consumer  sanction,  as  it   was  originally  conceived.     We  believe  the  courts  need  to  begin  to  consider  the  prospect  of  allowing  civil  liability   cases  to  be  heard  when  and  if  it  can  be  established  that,  had  the  breach  not  occurred,  the   theft  of  data  would  not  have  occurred.  This  causality  claim  has  not  done  well  in  court,   however,  as  the  customer  presumably  submits  the  very  data  lost  to  many  institutions   other  than  the  one  that  incurred  the  breach;  nor  can  it  be  established  that  identity  theft   is  an  event  that  ordinarily  does  not  take  place  when  a  company  has  not  been   negligentxxvi.  This  is  to  say,  data  security  negligence  does  not  ordinarily  lead  to  identity   theft.    Given  the  statistics,  that  seems  to  be  true,  despite  the  hype.  It  also  means  that  the   personal  information  may  have  been  shared  with  different  institutions  and  hence   misused  elsewhere,  invoking  no  liability  to  the  company  originally  responsible.  This  is   a  question  of  privacy  law,  which  we  will  come  to  next.  Torts  have  also  been  rejected  as  a   form  of  civil  liability  because  “actual  harm”  is  only  the  fear  of  the  possibility  of  future   harm,  and  so  this  argument  has  not  even  been  able  to  sustain  rewards  of  credit   monitoring  as  personal  compensation  for  a  breachxxvii.         Therefore,  we  believe  it  should  not  be  the  sole  job  of  courts  to  craft  solutions  for  each   and  every  case  of  identity  fraud.  Instead,  legislation  must  be  drafted  which  allows  the   pinpointing  of  responsibility  through  regulatory  standards.  More  stringent  rules  are   needed  to  motivate  businesses  to  comply  with  data  security  standards,  as  we  discussed   above.  Minnesota  was  the  first  state  to—in  addition  to  enticing  companies  to  change   through  the  notification  deterrent—also  decided  to  punish  companies  by  giving  PCI   standards  a  legal  standing.  The  Plastic  Card  Security  Actxxviii  makes  companies  that   process  more  than  20,000  transactions  annually  liable  to  banks  and  credit  unions  for  the   costs  of  credit  card  blocking  and  re-­‐‑issuance,  if  sensitive  information  is  found  to  be   stored  after  certain  limits,  something  that  PCI  explicitly  prohibitsxxix.  Massachusetts  has   a  similar  law,  which  includes  government  bodies  under  its  definition  of  “commercial   entityxxx.”  
  • 8. 8   Even  still,  this  may  not  be  enough  to  get  smaller  companies,  the  52%  cited  above  guilty   of  storing  sensitive  nonpublic  information,  to  comply.  Often,  these  smaller  companies   are  storing  data  without  even  knowing  it,  as  the  packaged  payment  applications  they   utilize  store  this  information  by  default.  For  this  reason,  we  are  urging  that  the  card   processing  (“back-­‐‑office”)  companies  that  distribute  these  packaged  programs  be  held   accountable  for  updating  software  packages  in  compliance  with  this  regulation,  as  well   as  educate  their  retail  clients  of  these  storage  regulations  in  order  to  indemnify   themselves  against  future  claims,  thereby  making  the  businesses  themselves   accountable  for  non-­‐‑compliance.  In  this  way,  we  have  argued,  liability  claims  are   allowed  to  trickle  down.    As  it  is,  many  smaller  businesses  are  being  fined  for  security   breaches  they  believed  to  have  made  a  sincere  attempt  to  control  through  firewall   protection  and  passwords.       Individuals  are  also  a  main  concern.  Notifications  need  to  come  with  clear  and  concise   information  for  how  the  breaching  institution  is  going  to  compensate  for  its  negligence,   not  just  a  vague  and  empty  informational  letter.  If  individuals  are  powerless  in  court,   even  as  a  class  action,  we  need  to  see  legislation  at  the  federal  level  that  not  only   protects  the  financial  institutions,  but  also  a  statutory  right  of  action  extended  to   consumers.  At  the  very  least,  laws  are  needed  that  require  as  part  of  notification  a  writ   of  guaranteed  credit  monitoring  services  which—in  the  case  of  credit  fraud—also  incur   all  personal  costs  and  troubles  associated  with  the  clearing  the  debts  and  accounts   created  by  the  thieves.  As  it  is,  the  Federal  Trade  Commission  advises  much  persistence   in  getting  local  and  state  police  sources  to  recognize  fraud,  a  step  necessary  to  get   collection  agencies  to  rescind  their  legal  duty  to  collectxxxi.  In  other  words,  businesses   should  not  just  be  held  responsible  for  ensuring  that  financial  institutions  are  covered  in   their  losses,  but  that  individuals  are  likewise  covered  for  the  costs  associated  with  both   future  credit  monitoring,  and  the  larger  personal  costs  associated  with  clearing  the   debts  and  accounts  created  by  the  thieves.    The  costs  of  credit  monitoring  should  be   borne  by  the  company,  such  that  incentive  is  created  to  re-­‐‑analyze  the  benefit  of   maintaining  personal  data  weighted  against  the  costs  of  possible  breaches  due  to   disorganization,  sloppy  internal  work  ethic,  file-­‐‑sharing  and  data  vending,  and  of   course  any  other  risk  associated  with  PCI  non-­‐‑compliance.    If  all  companies  are  under   the  same  level  of  regulation  at  each  level  in  the  system  (from  credit  card  agencies,  to   processing  companies,  to  retail  businesses)  to  ensure  that  they  are  PCI  compliant  at  the   least,  this  is  incentive  enough  for  motivating  businesses  to  work  harder  to  guarantee  a   secure  marketplace  in  which  to  do  business.            
  • 9. 9 Is  there  a  need  to  pass  consumer  privacy  laws  so  that  they  impose  fair  information   practices  upon  creators  of  databases  containing  confidential  information?     Data  managers  know  the  value  of  reusing  data.  However,  few  individuals  believe  that   the  personal  information  they  provide  is  and  can  be  bought  and  sold  as  a  good.  The   questions  above  deal  with  data  security  and  its  failure.  This  is  distinct  from  what   companies  can  legally  do  with  personal  information  once  they  have  it,  whether   individuals  are  aware  that  companies  are  even  gathering  information  about  them,  and   hence  what  rights  individuals  have  and  what  permissions  need  to  be  granted  regarding   its  ownership,  preservation  and  sharing.  Given  that  recent  news  regarding  data   breaches  are  waking  up  individuals,  privacy  groups  are  rethinking  the  implications  of   the  1974  Privacy  Actxxxii  and  the  meaning  of  its  “fair  information  practices”  given  the   expanding  intrusion  of  companies  and  government  as  a  result  of  the  free  flow  of   information  on  the  Internet.     The  USA  Patriot  Actxxxiii  began  an  era  of  increased  government  surveillance  once  again,   as  government  again  began  collecting  data  about  individuals  with  neither  consent  nor   recourse  to  oversight  or  legal  challenge.  In  the  European  Union,  on  the  other  hand,   personal  privacy  laws  are  relatively  advanced.    The  European  Commission  passed   Directive  95/46/EC  on  the  “Protection  of  Individuals  with  Regard  to  the  Processing  of   Personal  Data  and  on  the  Movement  of  Such  Dataxxxiv.    In  contradistinction,  the  U.S.  has   no  overarching  federal  policy,  preferring  instead  to  adopt  privacy  legislation  “as   needed,  ”  as  sectors  and  events  see  fit.  For  this  reason,  we  see  a  proliferation  of  acts,   such  as  the  Video  Protection  Actxxxv,  the  Cable  Television  Consumer  Protection  and   Competition  Actxxxvi,  the  Health  Insurance  Portability  and  Accountability  Act   (HIPAA)xxxvii,  the  Children'ʹs  Online  Privacy  Protection  Act  (COPPA)xxxviii ,  and  the  Fair   Credit  Reporting  Actxxxix,  among  others.  Former  President  Bill  Clinton  and  vice-­‐‑ President  Al  Gore  advised  in  their  “Framework  for  Global  Electronic  Commerce”  that   “the  private  sector  should  lead,”  “governments  should  avoid  undue  restrictions  on   electronic  commerce,”  and  ironically  even  that  “Electronic  Commerce  over  the  Internet   should  be  facilitated  on  a  global  basisxl.”         Advances  in  data  mining  allow  searching  for  correlations  and  patterns  amongst  data.   This  is  not  hypothetical  deduction,  as  in  science,  but  hypothetical  induction.  A  graduate   student,  for  example,  by  tracking  the  IP  fingerprints  across  millions  of  Wikipedia   entries,  traced  a  systematic  deletion  of  critical  information  regarding  e-­‐‑voting  machines,   from  the  very  company  producing  those  machinesxli.  A  Carnegie  Mellon  professor,   Latanya  Sweeny,  for  instance,  found  that  by  just  knowing  an  individual’s  postal  code   and  birth  data,  that  individual’s  personal  information  in  a  putatively  anonymous  public  
  • 10. 10 database  could  be  identified  with  69  percent  accuracy,  and  even  87  percent  if  the  gender   is  also  knownxlii.       Thus,  while  HIPAA  allows  a  small  portion  of  data  to  be  utilized  for  marketing  purposes   if  and  only  if  it  is  stripped  of  all  personal  identifiers,  data  miners  may  re-­‐‑identify  the   person  by  making  correlations  across  other  databases.  We  firstly  believe  that  federal   laws  regarding  information  as  sensitive  medical  data  should  in  no  way  ever  be   marketed.  Secondly,  if  the  U.S.  does  wish  to  continue  making  piecemeal  legislation  on   an  as  needed  basis,  basic  federal  rules  consistent  with  “fair  information  practices”   outlined  in  the  Privacy  Act  must  provide  the  unwavering  fundamentals  under  which   these  piecemeal  laws  must  conform.       There  are  also  recommendations  to  fight  data  mining  indirectly  xliii .  For  example,  after   records  have  been  de-­‐‑identified,  average  values  for  fields  (across  five  to  ten  records)  or   known  amounts  of  random  noise  could  be  used,  or  random  amount  of  noise  could  be   introduced  across  all  records.    Both  methods  would  allow  for  data-­‐‑analytic  breakdown   and  accurate  analyses  by  researchers  or  marketers  wishing  to  use  it  in  their  studies.   This,  however,  while  it  is  a  form  of  data  encryption,  does  not  solve  the  more   fundamental  problem  of  personal  rights  of  privacy  we  endorse  in  this  paper.       For  one,  we  call  for  a  strict  opt-­‐‑in  policy  for  any  data  sharing  and  marketing.    That  is  to   say,  it  is  a  dangerous  default  and  precedent  to  begin  requiring  individuals  to  take  active   measures  themselves  to  investigate  and  inform  themselves  regarding  what  a  company’s   plan  is  for  the  data  they  provide.  If  that  plan  is  mere  storage,  users  may  be  presented   with  an  opt-­‐‑out  option;  but  only  in  this  case.  And  when  the  case,  consumers  should  not   have  to  take  active  steps  to  opt-­‐‑out.  On  the  other  hand,  if  the  company’s  plan  is  to  share,   sell,  or  market  the  data  at  any  time,  consumers  must  be  provided  with  an  opt-­‐‑in  option   up  front,  with  a  summarized  and  understandable  (i.e.,  not  legalese)  terms  of  the  plans.   Additionally,  these  may  not  be  guised  through  formats  such  as  opting-­‐‑in  or  -­‐‑out  of   newsletters  or  updates  (a.k.a.  spam).  This  form  of  opting-­‐‑in  or  –out,  whichever  the  case,   must  also  be  made  more  robust  and  not  depend  on  cookies,  which  upon  deletion   (accidental  or  intentional)  often  render  such  agreements  void.       Such  legislation  must  be  passed  that  resists  attempts  by  private  industry  lobbyists  to   influence  these  fundamental  protections.  Of  course,  given  the  proliferation  of  Acts,  it  is   difficult  to  make  a  wholesale  rejection  of  the  current  U.S.  implementation  of  data   privacy  laws  on  a  sector-­‐‑by-­‐‑sector  basis.  For  this  reason,  we  call  for  an  overreaching   federal  policy  that  at  least  sets  guidelines  and  fundamentals,  as  is  done  in  the  European   Union,  and  insists  that  data  protectors  are  employed  to  ensure  compliance.  Sector  by   sector  acts  may  vary,  but  may  not  violate  these—what  should  be  considered—inviolate  
  • 11. 11 privacy  protections  in  today’s  age  of  information.  They  provide  the  control  users  have  a   right  to  feel  against  their  fears—however  irrational  they  may  or  may  not  be—of  data   breaches,  which  notification  laws  are  just  now  making  more  salient.    They  also  reduce   the  secondary  and  indirect  need  for  database  managers  to  add  noise  or  aggregate  data,   or  the  Safe  Harbor  agreements  that  provides  Europeans  protections  that  accord  with   fair  information  policies,  while  denying  U.S.  citizens  the  same  privacy  assumptions.   While  we  are  not  opposed  to  recent  efforts  by  industry-­‐‑led  efforts  to  secure  a   standardized  set  of  policy  rules,  as  Trust-­‐‑e  and  P3Pxliv  have  done  (and  indeed  applaud   the  effort),  we  still  argue  the  most  basic  privacy  disclosures  should  be  a  fundamental   right  of  individuals,  such  that  these  standards  are  required  under  law.       Conclusion       Due  to  recent  notification  laws,  data  breaches  have  penetrated  the  public  conscious.   Notification  laws  are  an  effective  step  in  providing  incentive  to  companies  to  protect   their  databases  with  rigor.  These  may  be  insufficient,  nevertheless,  and  must   accompany  campaigns  to  balance  the  hype  such  initiatives  create  with  education   regarding  the  real  causes  of  breaches.  Companies  at  each  level  of  credit  card   transactions  must  also  incur,  through  federal  regulation,  the  costs  associated  with   breaches  of  non-­‐‑public  personal  information.  Incentive  thus  must  be  paired  with   consequences,  such  that  companies,  even  small  companies,  are  educated  regarding  data   security  standards,  whereby  not  knowing  is  sufficient  reason  for  assigning  blame  not   just  in  the  legal  system  (if  necessary),  but  at  a  federal  regulatory  level.  In  addition,   security  must  go  hand  in  hand  with  privacy.  Breaches  of  public  information,  while   often  workplace  negligence,  are  also  a  reality  due  to  lax  standards  harnessed  through   private  sector  lobbying  that  allow  data  sharing,  selling  and  marketing  without  the   consumers  informed  consent.  These  are  trends  that  must  reverse  if  the  United  States  is   to  compete  globally,  and  provide  its  own  citizens  with  privacy  protections  both  it  and   the  EU  grants  to  citizens  of  Europe.  Opting-­‐‑out  should  not  be  entrenched  in  the  public   mind  as  a  default,  whereby  individuals  must  act  to  protect  themselves.  Privacy   protections  at  the  individual  level  should  be  pre-­‐‑supposed.                   Footnotes  
  • 12. 12 i Privacy Rights Clearinghouse (July 11, 2008). A chronology of data breaches. http://www.privacyrights.org/ar/ChronDataBreaches.htm. ii Poneman Institute (Novermber 28, 2007). Ponemon study shows data breach costs continue to rise. http://www.pgp.com/newsroom/mediareleases/ponemon-us.html. iii Krebs, Brian (July 1, 2008). Washington Post. Data breaches are up 68% this year, nonprofit says. http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html. iv Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million. http://www.networkworld.com/news/2006/110206-data-breach-cost.html. v Data Loss Archive and Database (DLDOS). http://attrition.org/dataloss/. See also ibid. vi Ponemon Institute and RedCannon Security (Dec, 2007). Survey of US IT practitioners reveals data security policies not enforced. http://www.redcannon.com/news_and_events/press_release_ponemon.html. vii S.B. 1386, codified in Cal. Civ. Code § 1798.82. A description of this law can be found at www.privacyrights.org/ar/SecurityBreach.htm. viii For a chart of state-by-state legislation, see http://www.digestiblelaw.com/files/upload/securitybreach.pdf. ix Katz, M. L. (2008). Data security: Into the breach. The Maryland Bar Journal, 41(1). x Safeguards Rule: Laws and Rules. Pub. L. No. 106-102, Title V Subtitle A. See http://www.ftc.gov/privacy/privacyinitiatives/safeguards_lr.html. xi Allan, Danny (June, 2008). Payment card industry mandate stresses importance of web application security: Recommended becomes required. http://www.net-security.org/article.php?id=1143&p=1. See also PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. xii Finextra.com (September, 2006). Data breach hype is misleading consumers—study. http://www.finextra.com/fullstory.asp?id=15860. xiii Ibid. Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million. http://www.networkworld.com/news/2006/110206-data-breach-cost.html. xiv see Rustad, M. L. & Koenig, T. H. (2005). Rebooting cybertort law. Washington Law Review Association, 80. xv Sidel, Robin (September 2007). In data leaks, culprits often are Mom, Pop. http://online.wsj.com/article/SB119042666704635941.html?mod=sphere_ts. xvi Schwartz, P. & Janger, E. (2007). Notification of data security breaches. Michigan Law Review, 105. See also Picanso, K. E. (2006). Protecting information security under a data breach notification law. Fordham Law Review, 75. xvii SB  1386,  codified  as  Civil  Code  §  1798.82,  et  seq. xviii Brelsford, James F. (September 2003). California raises bar on data security and privacy. FindLaw. http://library.findlaw.com/2003/Sep/30/133060.html. xix Javelin Strategy and Research (June 2008). New Javelin reearch pinpoints how institutions should respond to data breaches. http://www.javelinstrategy.com/2008/06/23/debix_06_23_08/. xx Says Linda Foley of the Identity Theft Resource Center, http://www.idtheftcenter.org/. Reported in Krebs, Brian (July 2008). Data breaches are up 69% this year, nonprofit says. Washington Post. http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html. xxi Alexander, Philip (April 2007). Data breach notification laws: A state by state perspective. Intelligent Enterprise. http://www.intelligententerprise.com/channels/information_management/showArticle.jhtml?articleID=198800638. xxii For all the details regarding each of these bills, see the Privacy and Security Law Blog at http://www.privsecblog.com/archives/federal-legislation-pending-privacy-and-data-security-legislation-in-the- 110th-congress.html. xxiii Schwartz & Janger, ibid. For a set of economic arguments, see Romanosky S., Telang R. & Acquisti, A. (2008). Do data breach disclosure laws reduce theft? Seventh Workshop on the Economics of Information Security. xxiv Wiltshire, Elaine (2007). Cyber-enemy at the gates. The bottom line, 24(8). http://www.thebottomlinenews.ca/index.php?articleid=242&section=article xxv Federal Trade Commission. Defend: Recover from identity fraud. http://ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html#Whatisanidentitytheftreport. xxvi Chandler, J. (2008). Negligence liability for breaches of data security. Banking and Finance Law Review, 23(2). xxvii Chandler, J. (2008), ibid. xxviii Minnesota Statute 325E.64 Access devices; breach of security (2007). https://www.revisor.leg.state.mn.us/statutes/?id=325E.64&year=2007&keyword_type=all&keyword=security+breac h+liability.
  • 13. 13 xxix Vijayan, Jaikumar (May 2007). Minnesota gives PCI rules a legal standing. Computer World. http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=standards_and_legal_iss ues&articleId=293804&taxonomyId=146. xxx Massachusetts House Bill No. 213 (2007). http://www.mass.gov/legis/bills/house/185/ht00pdf/ht00213.pdf xxxi Federal Trade Commission. Defend: Recover from identity theft. http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html. xxxii P.L. 93-579, 88 Stat. 1897, 5 U.S.C. § 552a (1974). xxxiii P.L. 107-56, 115 Stat. 272 (2001), then later P.L. 109-77 (2006). xxxiv Directive  95/46/EC  was  implemented  in  1995  by  the  European  Commission.   http://www.cdt.org/privacy/eudirective/EU_Directive_.html.     xxxv 18 U.S.C. § 2710 (2002). http://epic.org/privacy/vppa/. xxxvi P.L.102-385 (2002). http://projects.washingtonpost.com/congress/102/bills/s_12/. xxxvii P.L. 104-191 (1996). http://www.ihs.gov/AdminMngrResources/HIPAA/. xxxviii 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728 (2000). http://epic.org/privacy/kids/. xxxix 15 U.S.C. § 1681 et seq (1996). http://www.consumersunion.org/pub/core_financial_services/000745.html. xl A Framework for Global Electronic Commerce, The White House (July 1997). http://www.technology.gov/digeconomy/framewrk.htm. xli Borland, J. (August 2007). See who’s editing Wikipedia—Diebold, the CIA, a campaign. Wired. http://www.wired.com/politics/onlinerights/news/2007/08/wiki_tracker. xlii Reported in Edelstein, H. & Millenstein, J. (Dec 2003). DM Review Magazine. http://www.dmreview.com/issues/20031201/7768-1.html. xliii For example, see again Edelstein, H. & Millenstein, J. ibid. xliv See www.truste.org and www.w3.org/P3P respectively.