Profound Changes in Views on Disclosing Identity Theft

This entry is part of a series we are writing on Identity Theft.  Look for more Identity Theft posts throughout the month of June.

 

Ralph Basham, director of the U.S. Secret Service, said recently that “Information is the world’s new currency.” If true, we are learning that in a world where leaks can allow sensitive personal information to be taken and used to commit identity fraud, the United States is purely gushing currency.

It has become painfully clear that U.S. organizations have not excelled in protecting information and until recently have done poorly in admitting to the exposure of sensitive information to potential thieves. Companies often have elected not to warn the customers whose information was exposed or to even notify law enforcement authorities.

Experts tell us that in the past companies almost never disclosed data breaches and that the FBI and Justice Department actually worked to shield the identities of corporations that had been hacked, in an effort to encourage companies to report the crimes.

We can attribute the fact we’ve been hearing about so many information breaches in the past few months to a California law that went into effect in 2003. It requires disclosure when sensitive information about Californians is exposed, and ChoicePoint’s disclosure in February of its own breach in security seemed to draw attention to the law and ignite a series of disclosures.

ChoicePoint and LexisNexis representatives testified to a Senate committee that they did not report some data breaches to potential victims before the California law went into effect. And in fact, it looked at first like ChoicePoint was only going to admit to the disclosure of information about California residents.

It was only later, reportedly after the attorneys general of multiple states demanded disclosure on behalf of their citizens, that ChoicePoint disclosed the leak of information about non-California residents.

California law has had a significant impact on our awareness of data leaks. We point this out in part because new law in this country often begins in California and then spreads. That is a general observation about a recurring phenomenon. It’s at work in this situation. Recently 28 other states were considering or had enacted similar legislation requiring disclosure of data leaks. Arkansas, Georgia, Montana, North Dakota and Washington have enacted new laws. Florida and Illinois legislation has been passed but not signed by their respective governors.

Here’s another recurring phenomenon relating to regulation of technology and cyberspace: Congress sometimes is slow to act and ends up being pressed into moving on an issue only after the states begin creating a patchwork of laws. A state patchwork doesn’t work very well in the technological and online arena because borders tend to disappear, and jurisdictional differences can create commercial obstacles. Anti-spam legislation, anti-spyware legislation, disclosure of data leaks all have seen Congress being slow to act.

With most of the states considering or enacting laws that require disclosure of data leaks, there’s also legislation pending in Congress. U.S. Senator Dianne Feinstein, a California Democrat, introduced earlier this year the Notification of Risk to Personal Data Act, and after the ChoicePoint leaks she re-drafted the bill to make it more stringent.

It would require businesses and government agencies to notify likely victims when there is a "reasonable basis to conclude" that an unauthorized person has obtained personal data. There’s a companion bill in the House. Enforcement would be by the FTC or state attorneys general.

There is considerable debate whether to require disclosure of the exposure of information that was encrypted. Some are arguing disclosure should not be required when the data was encrypted. The CA law does not require disclosure of a leak of encrypted data. Feinstein’s bill does.

Clearly, the better standard of care for clients is to store data in an encrypted format, and for your clients to build (or at least recommend) encrypted systems for their customers.

A similar federal bill failed last year under opposition from financial institutions. But with much more attention and concern about the subject this year, it appears likely that before long most if not all Americans will be protected by disclosure law.

Here’s a partial list of disclosures between February and May 2005; this is only a list of disclosures reported in national media:

February

– ChoicePoint, records of 145,000 people, thieves posing as customers

– Bank of America, 1.2 million, lost backup tape

– PayMaxx, 25,000, data exposed online

March

– DSW/Retail Ventures, 100,000, exposed to a hacker

– LexisNexis, 32,000, passwords exposed

– Boston College, 120,000, hacking

– UC Berkeley, 98,000, stolen laptop

– 3 universities, 70,000, hacking

April

– 2 universities, 300,000, hacking & theft

– LexisNexis, 280,000 passwords exposed

– Polo Ralph Lauren, 180,000, hacking

– DSW/Retail Ventures again, 1.3 million

– Ameritrade, 200,000, lost backup tape

– San Jose Medical Group, stolen computers

May

– Time Warner, 600,000, lost backup tapes

– Bank of America, Wachovia, PNC Bank and Commerce Bank, up to 675,000, data theft ring

– Stanford University, 9,900, hacking

Omega World Travel, 80,000, stolen laptop containing names and credit card information of U.S. Department of Justice employees.