Saturday, March 14, 2009

California mulling new breach law

There's a new data breach law brewing in California.

Normally I don't pay too much attention to proposed or pending legislation, since so much of it is political grandstanding. I don't have the stats, but I imagine only a small portion of proposed laws ever make it very far in the legislative process, and even less actually make it into law.

But State Senator Joe Simitian is the same guy who authored the United States' first data breach notification law back in 2003. He's obviously a guy who has managed to get the ball rolling in the past. That law, which has since been copied in some form or another in 44 states, has in my opinion potentially been the number one driver behind the growth of the security industry in the last few years (and when I say that I include heavy hitters like PCI and SOX). Many CISOs today have their position because the CEO saw a data breach piece on the news. And that data breach piece would never have been in the news if it wasn't for breach notification laws.

Mr. Simitian has introduced a new law called SB20 that makes a few changes in his original breach notification law. It would require breaches of more than 500 records to be reported to the Attorney General's office. And it would require breach notification letters to contain more detailed information about what exactly was breached and how it happened.

There are still no financial compensation requirements in the bill. I heard that this provision was considered but ultimately rejected out of fear that companies would not report breaches.

Which brings me to the one part of breach notification laws that still doesn't make sense to me - ironically, companies with a more developed information security program are more likely to report breaches. A key component of any information security program and policy is to report incidents when they occur. In a smaller company or a company without a security policy, a lost back-up tape or laptop can be swept under the rug by a company eager to avoid triggering a breach notification. In companies with a security policy and security officer, incidents are escalated quickly (because of employee training). A lost laptop could then trigger a breach depending on what data was on it, whether it was encrypted, etc.

It would be interesting to see whether anyone has researched this. At the Security Breach Notification Symposium (appropriately held in California at the Berkeley Center for Law and Technology), Fred Cato estimated that only one in ten breaches is ever made public. My feeling is that public breaches are a much tinier percentage of overall actual breaches.

Here's my back-of-the-napkin calculation: A lost laptop with unencrypted PII triggers a breach under most states' data breach notification laws. It's notoriously difficult to find accurate statistics on laptop losses. But even by the most conservative estimates there are millions of laptops with unencrypted company PII in use in the United States and tens of thousands are either lost or stolen each year (OK, I am making up these figures but if you think about it they make sense). And yet the Identify Theft Resource Center counted only 656 publicized breaches for 2008 - and that counts all breaches, not just lost laptops.

So to make a long story short, breach notification laws as they are currently written do not capture even a tiny fraction of the breaches they were meant to address. I don't have an easy answer to this, but the next generation of data breach laws should contain some language that strengthens compliance by all companies, not just those with security policies in place.

No comments:

Post a Comment