«
»

When Data Breaches go Unreported


UNREPORTED BREACHES

I have encountered dozens of data breaches by schools, companies, doctors’ offices, and other organizations over the past two years. Of the many lessons I’ve gleaned from these experiences, one stands out: An alarming number of breaches go unreported. While the cause may differ from one instance to another, I have discovered several recurring themes:

  • Entities Fail to Detect Breaches. Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not even keep proper logs. Thus, when many press releases read, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”
  • Entities Underestimate the Severity of Breaches. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no proof of access exists) far outweigh any benefits. However, when the victims learn of the breach directly, or when the media is notified of the breach, organizations tend to take it more seriously.
  • Victims Lack Sufficient Information to Advocate for their own Interests. One of the cruel ironies of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization responsible for the breach. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible. Without a complete understanding of what information was breached, victims are unable to be effective advocates for themselves.
  • Organizations are Ignorant of Applicable Law, if it Exists. Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.
  • Leaders are Uncertain of Proper Action. I think that most organization leaders intend to do the right thing. But in the event of a breach, some aren’t sure exactly what to do, how to make an announcement, who to notify, or under what circumstances they must make an announcement. And there aren’t many resources to help them figure things out.
  • The Market does not Value Privacy. Privacy is expensive, but the costs of violating privacy are small. In many countries, privacy laws counteract the Market’s enmity toward privacy. The United States has precious few laws to counteract anti-privacy market forces. Until the Market recognizes the true costs to society for failing to protect privacy, privacy legislation is necessary.
  • Ironically, the Victims’ Privacy May Shield the Breaching Entity. Every once in a while, a breaching entity will attempt to sacrilegiously wrap themselves in the victim’s cloak of privacy, they have just tattered. These entities might fail to report any relevant information about a breach on the false premise that they wish to protect the privacy of those affected. Of course, functionally keeping a victim in the dark about the extent of an identity breach does not protect him, it only protects the breaching entity.

And for the most part, organizations which choose not to report breaches get away with it.

REPORTED BREACHES

I believe that breaching organizations have at minimum a moral (and often legal) responsibility to notify victims of their risks. I also believe they have moral obligations to bear the true costs of their mistakes. However, even if a breach is detected and reported, full notification is functionally impossible under almost every circumstance, even among well-intentioned organizations:

  1. Not everyone will read the press release. Most breaches have a media shelf life of only 24-72 hours. The assertion that every victim of an identity breach will hear about the breach and be able to identify himself as a victim within first 72 hours of media attention is ludicrous. However, a victim who misses the announcement remains at risk for years.
  2. 100% contact is functionally impossible. Even if the breaching organization has a record of the victims’ contact information, the information may be out of date. People move, phone numbers change, and many addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Though direct contact is the best method of notification, even a good-faith effort of direct mailing and phone calling cannot ensure that everyone is notified. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.
  3. The notification message is always incomplete. I have read dozens of breach press releases, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information ubavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” For reasons explained above, I have yet to read a single breach announcement that explains the full depth and breadth of a breach. The lack of information keeps victims in the dark about what their true risks are, and deny them the opportunity to be effective advocates for themselves.
  4. Many breach notification laws are weak. Most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your life. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.”But they have no responsibility to help you clear your name when someone purchases a car or home in your name, or when someone commits a crime with your identity, or if an identity thief makes it impossible for you to qualify for medical insurance. Merely getting a credit report does not protect against many of these risks, and victims can’t look to the breaching entity for help.

UTOPIA

Some privacy advocates dream of a fairy tale Utopia where all victims of identity breach will receive a personalized phone call or letter, detailing the extent of the breach, and an explanation of exactly what risks they face.

It is a dream I do not share.

In fact, the more I think about this dream, the more nightmarish it becomes. In this “Utopia,” every organization you come in contact with– every store, school, business, church, club, or government agency– must collect a full battery of contact and personally identifiable information, with which to notify you of a potential future breach. Since the risk of breach can increase with time, these organizations would have to maintain updated records on your whereabouts, contact information, and identifiable information in perpetuity. To believe in such a privacy fairy tale world is not only naïve, but dangerous.

This entry was posted on August 4, 2007, 4:16 pm and is filed under Data Breaches, Privacy. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.
(will not be published)