Friday, May 29, 2009

Maine Gives 7 Days for Breach Notification

Maine is tightening the screws on its data breach law. Breaches will need to be reported within 7 business days unless the authorities request otherwise. The bill, signed into law by the governor last week, goes into effect in 90 days.

Maine is pretty much going at it alone by taking this step. The vast majority of the 44-odd states with data breach notification laws let companies decide what timing makes sense. Here's what most of them have to say-

The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement… or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

As far as I can tell, the only other state that defines a notification deadline is Florida (if someone else knows of other states please let me know). It gives 45 days after the discover of the incident and - unlike Maine - has stiff financial penalties for delayed notification.

The Maine and Florida laws might end up getting swallowed up if a pending federal data breach notification law is passed. It would pre-empt these state laws and gives no deadline for notification. The proposed federal law largely mirrors the prevailing state law language of avoiding "unreasonable delay". As this legislation is still under consideration and likely to change, now is a good time for policy makers at both the state and federal level to ponder whether breach notification laws should give hard deadlines.

Data Breaches and Reasonability

So who gets to decide what is a reasonable delay when notifying?
Getting notification in time obviously matters to consumers. The impact of identity theft is limited if consumers get the heads-up in time to take out a security freeze on their credit reports. ( Security freezes are available in most states and make access to credit reports much more difficult).

Deadlines aren't the only place that data breach laws refer to reasonability. Many states only require notification if there is a “reasonable” likelihood of identity theft resulting from the breach. I have written before about the way this has the ironic effect of punishing honest businesses with strong IT management. In borderline breach cases they are much more likely to notify than to make a questionable determination that there is no "reasonable" risk of identity theft.

Companies that don't notify never really get called out on it. The large majority of states still do not have a requirement for breaches that do not trigger a notification to be reported to the Attorney General or another state entity. Which of course makes it much easier to sweep repeated data breaches under the proverbial rug.

A judge recently ruled in favor of Hannaford in the lawsuit that data breach victims had brought against the supermarket chain in Maine. The judge cited the lack of a strict notification deadline, which may have prompted legislators to act. However the judge also cited the lack of a reasonable risk of identity theft in not awarding damages.

Identity theft is such a nebulous concept that it is very hard to measure when a reasonable risk exists or not. This is part of the reason that some state laws presume a reasonable risk to exist by virtue of the fact that certain personally identifiable information (PII) has been leaked. The one exemption that all states grant is for encrypted data, which has spawned an entire industry of full disc encryption products. But interestingly, the encryption the law talks about is very different than the encryption the vendors talk about.

Encryption and the Get-Out-Of-Notifying-Free Card

Security folks think of encryption in terms of DES, AES, RSA and other encryption algorithms that use public and private keys to encrypt data. Various algorithms have come in and out of fashion due to their vulnerability to mathematical attacks like differential cryptanalysis or real world attacks like differential power analysis.

Now let’s gently exit the world of cryptographers and enter the legal world. Most state laws don't define encryption at all, but when they do it looks something like this:

"Encrypted" means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable.

But where’s the key? The minimum 128 bits? The ban on single DES? Turns out that for legal purposes, encryption requires some form of obfuscating. Doesn’t need to even involve a key. Doesn't even need to involve too many CPUs. You just need to make sure that the way you obfuscate and then unobfuscate is confidential.

So who's right? Should a lost USB stick with personal data encrypted by a simple vulnerable encryption algorithm (say single DES) require notificaiton? The purist/cryptographer answer would be yes. Does it require notification from a legal perspective? A lawyer would probably say no [although I am by no means a lawyer].

This time I think the lawyers are right. The risk of identity theft from personal information on lost media is already very small; after all, the person who finds a lost laptop, USB stick, or mobile phone is very unlikely to be interested in the data. Now suppose that data is encrypted in some light but ultimately breakable way. The likelihood of actual identity theft drops down to almost nil. What are the chances that the guy who found your iPhone on the subway is both interested in your data and capable of decrypting DES?

That's not to say of course that there isn't data that merits industrial strength encryption, especially when placed on a portable device. But for the purposes of breach notification in the case of loss, sometimes we do really need to keep in mind what is reasonable.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.