Because I am Here » Data Breaches

7 Sources of Data Breaches You’ll Never Hear About: Your Network Drives

Titus — Tue, 05 Apr 2011 06:09:46 +0000

If you think that the tangle of Cat5 in your server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

This is the seventh post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, Your Inbox, Your Thumb and External Drives, Your Old Computer, and Your Cloud Backup . Finally, we’ll discuss Your Network Drives.

Most companies have an internal corporate network with one or more shared network drives. If your company network drive is typical, it’s a layered mess of multiple naming conventions, files from employees who haven’t been around for years, and old documents with unrecognizable file extensions. Frankly, it’s impossible for anyone to know exactly what’s there.

Sometimes breaches happen when the internal network is not properly segregated. Only individuals or departments with a “need to know” should have access to sensitive information. The Human Resource department should never have access to trade secrets, while the R&D department shouldn’t have access to HR data. The Executive team should have access to confidential client information, while that information might be best kept away from the Sales department.

Aside from inappropriate network segregation network drives, like all computer devices, are eventually replaced. Old hard drives are sometimes donated to schools, sold on Ebay, thrown away, recycled through Best Buy or a similar program, or just stored and forgotten.

Several researchers, including Simpson Garfinkle, have demonstrated that with a small budget you can recover hundreds of thousands of pieces of personal information from used hard drives. Like other computing devices, old network drives must be scanned and completely wiped of all sensitive personal information before they leave your possession.

Remember the fundamentals rules of all data breaches: 1. If you don’t have it, you can’t breach it. 2. Old, forgotten data is dangerous data. Regularly scan these seven types of devices for personal information so that your next breach doesn’t originate from your own computer.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Old Windows 95 Computer

Titus — Tue, 29 Mar 2011 06:02:47 +0000

Digital pack rat: You probably have a backed-up copy of your old 256 MB hard drive, don't you? Licensed from Stock Exchange.

This is the fifth post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox, and Your Thumb and External Drives. Next we’ll discuss Your Old Windows 95 Computer.

Technology has made it easier than ever to be a digital pack rat. Cheap and plentiful memory probably means that you have backed-up a copy of your old 256 MB hard drive, which you also have stashed somewhere in your basement. Before blindly making back-up copies of old hard drives, make sure that you first delete any information you don’t want to save.

I see this problem haunt people across the country. Once a week a university professor somewhere in the United States copies an archived copy of an old hard drive to a web server, without realizing that the hard drive contained social security numbers of students who graduated a decade earlier. Within weeks those social security numbers can be available to the world via Google.

If you’re a digital pack rat, make sure you scan those old hard drives for sensitive personal information before making backups. Your old hard drive is one of the biggest sources of preventable data breaches you’ll never hear about.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Thumb Drive

Titus — Thu, 24 Mar 2011 06:49:06 +0000

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

This post is the fourth in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox. Here we’ll explore Your Thumb and External Drives.

Just about anything that can store information can be used to store sensitive personal information. Whether you use an external drive to back up sensitive data, or use a thumb drive to transfer large files from one computer to another. The Law of Portable Device Breaches (which I just made up) says that the risk of losing a device, and the information thereon, is directly proportional to its portability. In real terms, this extremely scientific law means that you’re more likely to leave your cell phone at the bar than your desktop computer.

Readers of this blog no doubt assiduously delete sensitive information from portable devices on a regular basis. But simply deleting files doesn’t actually erase the data. Just like cranberry juice on white linen, personal information stains hard drives.

Simply throwing a stained table cloth in the washing machine won’t remove cranberry juice stains. Likewise, simply hitting the “delete” key and emptying the recycle bin won’t completely remove personal information from your thumb or external hard drive. The hard drive usually remains stained with the sensitive information, which may be recovered until you proverbially “scrub” the drive. This scrubbing is called “shredding” the file, and typically requires at least a three-step deletion process whereby each byte is individually overwritten.

You should always think twice before copying sensitive files, such as tax documents, pictures, passwords, or confidential documents to removable media. Regularly scan removable media forgotten personal information so that when you leave your thumb drive in the taxicab, you don’t accidentally cause your own data breach.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Browser

Titus — Thu, 17 Mar 2011 06:36:22 +0000

Your Stored Passwords: Not exactly secured. Licensed from Stock Exchange.

This post is the second in a series about data breaches you can prevent. We’ve already covered Phones and Personal Computing Devices. The next source we’ll explore is Your Browser.

Laptops, desktop computers and smartphones all have built-in internet browsers. A typical browser can store hundreds of passwords and usernames, credit card numbers, contact information, and browsing history. Even though we use our smart phone browsers to do a significant number of online transactions, typical smart phone browsers do not allow users the same degree of privacy control as desktop browsers.

Aside from browser hacks and viruses, it’s important to remember that your browser caches remain intact and accessible even after the machine is lost, stolen, or sold. That’s one reason why it’s important to scan your browsers for personal information and delete unnecessary information, and use a master password whenever possible.

I fancy myself a fairly savvy and privacy-aware individual. I use Firefox and have installed several plugins to help me manage my privacy, including Better Privacy, GoogleShairng, a few PrivacyChoice Plugins, and Abine’s TACO. But when I ran an Identity Finder search, even I was shocked to see the depth of information that my browser stored. It was very sobering to see that my usernames, passwords, and credit card numbers were accessible in plain text. Fortunately, Identity Finder allowed me to delete or secure all of that information.
If your browser caches are ever lost, it may represent a significant breach of personal information. So make sure you are aware what information your browser is storing, because you shouldn’t expect to get a letter in the mail if it ever falls into the wrong hands.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Phone

Titus — Tue, 15 Mar 2011 06:31:28 +0000

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

This post is the first in a series about preventable data breaches. Most Americans have received a letter, telling them that their personal information has been breached. But there are many breaches you’ll never hear about, and many of them are right under your nose. The first source we’ll explore is Your Phone and Personal Computing Device.

Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.

Your personal computing devices perform almost all of the functions of a laptop computer. Smart phones, iPads, Kindles, and other devices are notoriously easy to lose, and store gigabytes of files, passwords, credit card numbers, social security numbers, digital photos, address books, and email attachments. Because of the wealth of personal information on a cell phone, most people would rather lose their wallets, and nearly all respondents to a 2009 survey said they would be “devastated” if they lost their phone.

Upgrading your phone can be as risky as losing it. Some people donate their old phones to charity or sell them on Ebay, and experts warn that personal information on the phone could easily be mined and re-sold. Periodically search your cell phone for personal information, and make sure that you digitally shred the entire contents of your mobile device before you get rid of it.

Article first published on Security Catalyst.

A Message From Walgreens

Titus — Sun, 12 Dec 2010 05:09:19 +0000

A friend of mine recently received the following email from Walgreens:

December 10, 2010
Dear Valued Customer,

We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.

We want to assure you that the only information that was obtained was your email address. Your prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreens consumer data systems.

We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue. As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident.

We encourage you to continue to be aware of increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information. Always be cautious when opening links or attachments from unsolicited third parties. Also know that Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. So if ever asked for this information, you can be confident it is not from Walgreens.

If you have any questions regarding this issue, please contact us at 1-888-980-0963. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,
Walgreens Customer Service Team

Translation

Dear Valued Former Customer Who Doesn’t Want to Hear From Us,

We know you have already unsubscribed from our mailing lists. You may have thought that we deleted your email address, but in fact we decided to keep your email in our databases anyway. Now it was stolen. Sucks to be you, because now you’ll probably get more spam and scam mail. We reported the breach to the police, knowing full well that they don’t care one little bit, but we at least hope do some PR damage control by looking serious about this.

Sincerely,
Wallgreens

P.S. We still don’t plan to actually delete your email address from our systems and eliminate the risk of a future breach.

Well, at least I have to give them points for owning up to the breach. Many companies wouldn’t even do that much.

HIPAA Breach Notification Requirements Effective September 23, 2009

Titus — Tue, 22 Sep 2009 13:17:01 +0000

The department of Health and Human Services (HHS) and the FTC have issued a new interim final rule governing health information breach notification requirements. I blogged on this issue back in March 2009, just after the stimulus package, American Recovery and Reinvestment Act of 2009 (ARRA), passed.

This rule, issued in response to ARRA, goes into effect on Wednesday. At that point, all HIPAA-covered entities and their business associates must notify individuals and HHS when personal health information has been breached. HIPAA-covered entities include health plans, health care clearinghouses, or health care providers. The rule also covers “business associates” which include billing companies, transaction companies, lawyers, accountants, managers, administrators, or anyone who handles health information on behalf of a HIPAA-covered entity.

A breach is when individually identifiable health information is acquired, used, accessed, or disclosed to an unauthorized party, in a way that compromises its security or privacy. A “breach” does not include inadvertent disclosures among employees who are normally authorized to view protected health information. A breach also does not include exposure of encrypted personal health information, for example.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

In certain limited circumstances a vendor might be subject to HHS and FTC notification rules. In this case, a vendor which serves the public and HIPAA-covered entities may comply with both rules by providing notice to individuals and the HIPAA-covered entity. In many instances, entities covered by this rule must also comply with applicable State notification laws. The test for pre-emption is whether the State law is “contrary,” to the federal law or whether “a covered entity could find it impossible to comply with both the State and federal requirements.”

Compliance

Of course, the best way to comply with the law is to avoiding breaches altogether. The most straightforward way to avoid having a breach is to encrypt personal health information. But if a breach does occur, complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

Date of the breach;
Date of discovery;
Description of the types of protected health information breached;
Steps individuals should take to protect themselves from potential harm resulting from the breach;
A brief description of the investigation, efforts to minimize losses and prevent future breaches;
Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Beyond that, you’ll have to minimize your losses by repairing your company’s public image, regaining your customers’ trust, and mitigating civil liability.

References: 45 CFR parts 160, 162, and 164.

Note: This article was originally published on the J.C. Neu & Associates Blog.

Data Breach Notification Requirements in the United States and European Union

Titus — Tue, 19 May 2009 10:34:30 +0000

Note: This article originally appeared on Jeffreyneu.com

This brief analyzes more than 40 United States Breach Notification laws, the American Recovery and Reinvestment Act, and compares those requirements with EU Directives 2002/58/EC, 2002/21/EC, and the Data Protection Working Party Opinion 1/2009 on 2002/58/EC proposed amendments. This brief does not address individual EU member states’ implementations of EU Directives 2002/58/EC and 2002/21/EC.

Executive Summary

Both the United States and European Union require certain entities to notify individuals when their personal information has been breached. In the United States, State Breach Notification Laws (BNLs) require persons and organizations to notify individuals whose personal information has been "breached." BNLs generally apply to any entity which possesses certain classes of personal information, such as social security numbers or account numbers. The usual elements of a breach are as follows, with common variations in parentheses:1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).Absence of one or more of these elements will defeat the notification requirement, whereas mere knowledge of a potential breach will often trigger a duty to investigate.^[1]With the exception of certain health information breaches, ^[2] breach notification requirements are not yet Federalized.

The approach of European Union Directives varies in two key aspects: First, the EU adopts a broader definition of "personal information," or "personal data." Second, in contrast to United States BNLs, European Union Directives impose notification requirements based on economic sectors rather than data possession.The table below illustrates the differences in approaches, by example, which may not be correct under every circumstance.

Notification Required?
			Communications Sector		Private Sector		Public Sector
Example Breached Information			US	EU	US	EU	US	EU
Information Protected In:	EU	IP Address & Name	No	Yes	No	No	No	No
	EU	Itemized Bill	No	Yes	No	No	No	No
	US & EU	Name& SSN	Yes	Yes	Yes	No	Varies	No
	US & EU	Name & Password	Yes	Yes	Yes	No	Varies	No

Anatomy of US Breach Notification Laws

Data Breaches are regulated by states, with the exception of health information breaches, which were Federalized under the American Recovery and Reinvestment Act of 2009 (Stimulus Package), which mimics state BNLs.^[3]

Since California passed the Security Breach Information Act of 2003,^[4] all but a handful of States have enacted similar breach notification laws. These laws require consumer notification when sensitive personal information is accessed by an unauthorized person.Each law imposes subtly different duties and requirements on stewards of personal information.

Legislative findings in several states emphasize the importance of preserving trust and confidentiality.^[5] Other legislatures emphasize the need to protect consumers from identity theft and other misuse of personal information.^[6]Still others aim to encourage businesses to protect personal information,^[7] decrease identity theft,^[8] or to protect the "confidential relationship" among financial institutions, creditors, and customers.^[9] Some US statutes create a right of action for third-party data owners, such as financial institutions, without creating an equivalent right for data subjects.^[10]

Covered Entities

Without traceable legal precedent,^[11] breach notification laws treat data as a type of property, and apply to entities that “own” or “license” personal information.Despite the legal ambiguity surrounding the concept of "owing" personal information, a surprising number of notification statutes do not expressly define the term. Those that do, often define "owning" broadly, to include all entities that "retain" personal information for a legitimate purpose.^[12]Licensees of personal information must also notify the data owners in the event that the personal information is breached on their watch.^[13]

In addition to notification obligations, breach notification laws often impose additional duties, which vary depending upon the storage media.For example, California businesses have a duty to properly destroy "any material, regardless of the physical form, on which [personal] information is recorded or preserved by any means…" including graphic, audio, and written information in all forms.^[14]However, a notification requirement is triggered only upon unauthorized acquisition of computerized data.^[15] In contrast, Hawaii requires notification of a breach, regardless of the media the personal information was stored on.^[16]

Breach notification laws can reach beyond state borders because they apply to entities that maintain personal information about residents, even if the breached database is located out-of-state. ^[17]For example, Arizona imposes a notification duty on any natural, legal, or corporate entity "that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information," of Arizona residents.^[18]Several other states impose broad duties on any person, group, or corporate entity that maintains personal information of state residents.^[19] And others bifurcate duties among special classes of actors, such as state or local municipalities.^[20] In several instances, municipalities or state agencies may be exempt from notification or other parts of the law altogether.^[21] Other common classes of exempted businesses are financial institutions subject to the Gramm-Leach-Bliley Act of 1999 (GLB),^[22] medical institutions subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA),^[23] consumer reporting agencies,^[24] or any business subject to more stringent law.^[25]Some statutes create unusual notice exemptions, for information brokers^[26] and even property and casualty insurers.^[27]

The practical effect of these exemptions is limited because they are far from uniform. Although an inter-state financial institution may choose to scrupulously adhere to the technical details of each states’ rules, such a strategy may have negative public relations consequences. In fact, in an effort to limit public relations damage, many companies now exceed statutory minimum requirements and provide credit monitoring services to breach victims.^[28]As a practical matter, organizations that maintain customer information and operate in more than one state will likely be subject to the most stringent combination of all states’ notification laws.

Breach of the Security of the System

California’s Security Breach Information Act first adopted the term "breach of the security of the system," which is defined as an "unauthorized acquisition of computerized [personal] data."^[29]Entities covered by the statute cannot defeat its provisions simply by failing to secure personal information, because California’s law also creates a duty to "provide reasonable security" for personal information.^[30] A breach of the security of the system triggers notification to the affected individuals.^[31]A breach is comprised of several common components, which vary by state. The usual elements of a breach are as follows, with common variations in parentheses: 1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).Absence of one or more of these elements will defeat the notification requirement, whereas mere knowledge of a potential breach will often trigger a duty to investigate.^[32]

Unauthorized and Bad Faith Acquisition

At least seventeen breach notification laws trigger an unqualified duty to notify, when personal information is acquired by an unauthorized individual.^[33]New York quantifies factors that help determine unauthorized access, including indications that the information is in the "physical possession and control of an unauthorized person," that it has been "downloaded or copied," or that an unauthorized person has used it to commit a crime.^[34]A few states broaden the notification trigger to include acquisitions that were "reasonably believed" to have occurred.^[35]In contrast, states like Florida and Idaho narrow the acquisition requirement to "illegal" or "unlawful" acquisition of personal information, before imposing a notification duty.^[36] The remaining statutes impose no duty to notify if the breach not will reasonably cause harm to the affected individuals.

Notification requirements are defeated if the transaction of personal information is authorized by the data owner, not necessarily the individual. This point is reiterated in several statutes which somewhat redundantly declare that "good faith" acquisitions do not constitute a breach.^[37]Once a person yields personal information to a third party, breach notification laws do not preserve his right to authorize or disallow further dissemination of his personal information. The right to authorize use of personal information belongs to the data steward, who is free to authorize or license the data to third parties as it sees fit, or in accordance with contract or other law. Absent a customer contract to the contrary, the only difference between an authorized and unauthorized acquisition of personal information may be a marketing agreement.

Unencrypted or Unredacted Sensitive Personal Information

In general, encrypting or redacting personal information eliminates the obligation to notify, because encrypted or properly redacted personal information is unreadable or unusable.^[38]Indiana law extends this exception to stolen laptops, if they are merely password-protected.^[39]

Broadly speaking, "personal information" is any information about a person, including a birth date, a favorite color, or a pet’s name. However, not all personal information is objectively sensitive or identifying. Breach notification laws tend to protect specific enumerated sets of personal information deemed to be universally sensitive.

All US BNLs require notification when a person’s unencrypted or unredacted name, in conjunction with their social security number, or financial account number and password, is breached.^[40] Other common sets of protected information include driver’s license numbers,^[41] medical information,^[42] and biometric indicators.^[43] California’s law also places additional obligations when handling 34 other types of sensitive personal information.^[44] In general, the last four digits of the Social Security Number are not protected.^[45]

Likelihood of Harm or Misuse

States as diverse as New Hampshire, Colorado, Delaware, Idaho, Kansas, Maryland, and Michigan impose a "likelihood of misuse" or "harm" test before requiring notification.^[46]However, "misuse" is not defined in many of the statutes, and many give no standard for determining "likelihood," nor "harm."Arizona applies a narrow definition of "harm," requiring notification only if a breach "is reasonably likely to cause substantial economic loss to an individual."^[47] Here, notification is only triggered when there is a likelihood of economic loss.These statutes do not recognize the harm of embarrassment, loss of confidentiality, or lost privacy.

Notice

Once all of the components of a breach are satisfied,^[48] a covered entity must notify the affected individuals about the incident, in general terms.^[49]Data owners must first make an effort to contact the affected individuals directly.In most states, primary notice consists of written or certified electronic notice, ^[50] telephone, ^[51] or by some other form of communication with which the business regularly contacts customers, in accordance with an established information security policy.^[52]In addition, third-party licensees of information must notify the data steward if a breach occurs.^[53]Substitute notice is allowed in the event that the entity does not have sufficient contact information,^[54] or if the affected class is sufficiently large, or if the cost of notification would cause undue economic hardship.

States vary radically on how they balance economic hardship. New Hampshire and Pennsylvania have the most lenient threshold for providing substitute notice. In those states, an entity may avoid direct contact if the cost would exceed $5,000, or the affected class of individuals is larger than 1,000.^[55]Nebraska and Ohio provide a tiered approach- small businesses or agencies with ten or fewer employees have substantially lower thresholds of cost/class size than larger entities.^[56]And Wyoming takes a decidedly protectionist stance, requiring out-of state entities to demonstrate a cost of $250,000 or a class of 500,000 individuals, while in-state persons or businesses need to demonstrate a burden of only $10,000 or 10,000 persons to qualify for substitute notice.^[57]In general, substitute notice thresholds range from $100,000-$250,000 for cost of notice, or an affected class of 200,000-500,000.^[58]

Although multi-state businesses could strictly adhere to the notice provisions state by state, the practical public relations effect is that interstate businesses will have to meet a $250,000 and 500,000 person burden, or demonstrate that they do not have sufficient contact information, before taking advantage of the much cheaper Substitute Notice provisions. With very few variations, substitute notice consists essentially of three things: E-mail notification (when available), notification on the company’s website, and notification to statewide media.^[59]

Entities must deliver primary or substitute notice quickly, after verifying the scope of the breach, and securing the data system, subject to the needs of any law enforcement investigation. Statutes have nuanced definitions of expediency, from "the most expedient time possible and without unreasonable delay,"^[60] to "as soon as reasonably practicable. "^[61]Florida and Wyoming require notification "without unreasonable delay," but "no later than 45 days following the determination of the breach. "^[62]The recent Stimulus Package requires HIPAA-covered entities to act within 60 days.

Finally, several states require entities to notify third parties when breaches occur, such as consumer reporting agencies, state consumer affairs departments, and state Attorneys Generals’ offices.^[63]However, they need not divulge the names nor personal information of the individuals affected.^[64]

Civil Penalties and Private Rights of Action

Often the state’s Attorney General^[65] can recover civil penalties if a covered entity fails to provide proper notice of a data breach.^[66]Several states classify breaches as a deceptive business or trade practice, and impose civil penalties for violations.^[67]Not all states specify a maximum civil penalty.^[68] In contrast, Arizona provides for a maximum penalty of $10,000 per incident,^[69] while Texas imposes a maximum penalty of $50,000.^[70]New York’s civil penalty is capped at $150,000,^[71] while Florida tops out at $500,000.^[72] Finally, Michigan imposes a maximum $750,000 civil fine for failing to notify its residents of a breach.^[73]Some states, including Utah, expressly prohibit a private cause of action based on a failure to notify,^[74] while Delaware and Wyoming leave open the possibility of a private lawsuit.^[75]

A few states, including California and Minnesota, expressly authorize a private right of action, though it’s unclear exactly what kinds of damages are cognizable.^[76]Possible types of damages include apprehension, emotional distress, fear of fraud, loss of money, loss of property, identity theft, false arrest, ineligibility for benefits, the burden and cost of credit monitoring, closing compromised credit accounts, scrutinizing credit card statements indefinitely, loss of privacy, and damage to reputation, to name a few. Several cases have focused on the right of customers to recover for the cost of identity theft protection and mental distress caused by the increased risk of fraud after a data breach. They have generally failed. Some commentators have suggested that requiring data owners to provide identity theft protection for victims is analogous to medical monitoring damages after exposure to toxic substances.^[77] Medical monitoring claims seek to mitigate the long-term risk of disease by recovering for the cost of periodic medical examinations.^[78] By analogy, under this theory a data steward would be responsible to pay for identity theft monitoring where there is: "(1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud."^[79]However, this reasoning has been rejected by several courts.^[80]

In general, courts have held that "costs of purchasing a credit monitoring product" and "time and money spent monitoring … credit" are not recoverable as a matter of law, where "no unauthorized use of … personal information has occurred." ^[81]In those circumstances, any injury is purely speculative, until fraud, identity theft or other misuse actually occurs. Without showing actual or imminent injury, plaintiffs lack Article III standing to recover for an alleged increased risk of identity theft.^[82]Mere apprehension of future fraud or misuse is also insufficient to recover for emotional distress damages.^[83]

Once plaintiffs suffer cognizable harm, they must demonstrate "but-for" causation. This requirement can be insurmountable, because it is often impossible to demonstrate a criminal’s source of personal information, and the criminal may be located in another country or be judgment-proof.^[84]Victims can recover cognizable damages only when they are able to demonstrate the breach of a duty, and proximate causation. In one example, a union regularly sent members’ sensitive personal information home with an employee. The employee’s daughter stole the data and used it to commit several counts of identity theft. The court found that a special relationship existed between the plaintiff and the union, and that the union did not protect against the foreseeable risk of identity theft, because the union "knew confidential information was leaving its premises and no procedures were in place to ensure the security of the information."^[85] The plaintiff was therefore able to recover damages against the union.

In Minnesota, breach notification statutes expressly authorize a private right of action, and a duty to properly dispose of sensitive records.^[86]A school improperly dumped educational records which included information about a student’s IQ, psychological, intellectual, and functional abilities in a school dumpster. The papers blew out of the dumpster and were recovered by fellow students, who used the information to mock the boy. The boy recovered $60,00 in damages for pain and emotional distress and $80,000 for future embarrassment.^[87]The court held that the Minnesota statute creates a duty to destroy records, that the school breached that duty, and that the boy suffered proximate harm due to the failure.^[88]However, absent relatively rare duties to maintain confidentiality, recovering against a breaching entity is exceedingly difficult.

Other Theories of Liability

In his thorough article, Cybersecurity, Identity Theft, and the Limits of Tort Liability, Vincent R. Johnson explores other theories of liability of private suits in states which do not expressly provide for a private cause of action.^[89]Even in those states, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. As embodied by the landmark case, Palsgraf v. Long Island Railroad, Judge Cardozo articulated a fundamental principle of tort liability- that foreseeability and risk of harm defines the duty to another.^[90]Economically efficient laws place duties on those who can most efficiently prevent harm.^[91] Often, data owners are in the best position to prevent harm to customers by increasing security measures to decrease the foreseeable risk of breaches and hacks. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the data steward fails to warn customers about foreseeable risks to personal information.^[92] In contrast, privacy torts (such as Appropriation of Likeness) is only applicable where the sale or abuse of personal information dilutes the property value of reputation or prestige,^[93] or when the breached information causes extreme emotional distress.

Even absent a court-imposed tort duty, a data steward may voluntarily assume the duty to protect data, most commonly in a privacy policy.^[94] Under this contract theory, the entity is liable if he induces another to rely on his promise to exercise care, to the other’s detriment. In states where data is treated as property, the law accrues harms and benefits of personal information to the "owner" or steward. Minnesota’s notification law has a strong tendency to treat data as property, by providing an express remedy to credit card companies for the cost of replacing credit cards,^[95] but failing to create a private right of action for harm to individuals.^[96] However, several courts have held that privacy policies are notices, not contracts, and are therefore not generally binding.^[97]

American Recovery and Reinvestment Act (ARRA)

Congress recently passed the American Recovery and Reinvestment Act (ARRA), colloquially known as the “Economic Stimulus Package.” Buried in Subtitle D of the massive spending plan, Congress federalized breach notifications for HIPAA-regulated entities. ARRA preempts the few state BNLs which regulate health information breaches. Indeed, a few states already exempt HIPAA-regulated entities from even reporting breaches of social security numbers.^[98] ARRA is currently the only Federal breach notification law, but Congress is likely to pass additional breach legislation in the future. ARRA mimics state notification laws in form and substance, with subtly different elements and duties. An ARRA breach is comprised of: 1. Unauthorized and Bad Faith 2. Acquisition, Access, Use, or Disclosure of3. Unencrypted or Unredacted 4. Protected Health Information, 5. Which compromises the security or privacy of such information. 6. Where an unauthorized person could likely retain such information.

ARRA Covered Entities

ARRA applies to “covered” entities under the meaning of CFR 45 160.103.These entities include Health Plans, Health Care Providers, and Health Care Clearinghouses. The statute dramatically broadens the ambiguous state-law concept of "data owners," and applies to any HIPAA-covered entity that "accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information."^[99] “Protected Health Information” means “individually identifiable health information” which is stored or transmitted.^[100] Such information may include personal information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code.^[101] The law also requires third-party contractors or “business associates” to report breaches to the covered entity.^[102]

The statute also reaches well beyond traditional "covered entities" to any service provider or vendor of personal health records. Presumably, this would include data warehouses like Google or Microsoft, each of which has or has announced plans to create online consumer health records warehouses. However, these vendors need only report breaches to the FTC, which will investigate the event as a deceptive trade practice.

ARRA Breach Components

Like typical BNLs, ARRA requires HIPAA-regulated entities (but not vendors) to notify each individual if their "unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of [a] breach."^[103] The legislation gives liberal exceptions for good faith and inadvertent disclosure, as long as the information is not breached further.^[104]Redaction or encryption using reasonable technology is an absolute defense to a breach.^[105]

ARRA Breach Notice

The breaching entity must notify individuals and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach.^[106]The covered entity must notify the individual directly if possible, and must also post a notice on their website if the breach involves 10 or more victims who are not directly reachable. Unlike State BNLs, ARRA contains no economic hardship provision which would limit the duty to notify individuals in the case of very large breaches. If the breach involves more than 500 residents of a single state, the covered entity must notify the statewide media.^[107] The notification must include a brief description of the incident, the date of the breach, the date of the discovery, a description of the types of protected health information breached, and steps individuals should take to protect themselves from potential harm resulting from the breach. The notification must also briefly describe the investigation, efforts to minimize losses, and protect from future breaches. Finally, the letter must contain contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.^[108]

ARRA Liability

ARRA provides for civil and criminal liability for negligent or willful violations of this law.

Anatomy of European Union Breach Laws

EU breach notification requirements differ in key aspects from United States’ BNLs. First, the concept of "personal information" is much broader in the EU, compared with the United States. U.S. BNLs regulate persons and organization which "own" narrow classes of highly-sensitive personal information, such as social security numbers, while EU Directives regulate the exposure of any personal information. In this sense, EU laws are substantially broader. Second, EU laws regulate economic sectors. Directive 2002/58/EC regulates only the Communications sector, but not the broader "Information Society Service" sector. This means, for example, that a laptop theft from an ISP where the computer contains users’ personal information is a breach. But the same laptop stolen from an online store currently does not constitute a "breach."Third, EU Directives envision national regulatory bodies which coordinate all breach notifications. No single analogous organization (or uniform State entity) exists in the United States.

Despite approaching the problem of breaches from different perspectives, the EU directives and US laws contain several analogous provisions. EU Directive 2002/58/EC emphasizes the importance of protecting confidentiality,^[109] and even encourages minimal collection of personal data in the communications sector.^[110]

Covered Entities

EU Directives impose notification requirements based on an organization’s economic sector. Directives 2002/21/EC (’21) and 2002/58/EC (’58) apply only to the electronic communications sector. Examples of "electronic communications services" are television broadcasters, Internet Service Providers, and Cell Phone companies.^[111] Further, the Directive applies only to personal information collected from customers for the purpose of buying service.^[112] In other words, the directive only protects personal data processed by ISPs, Cell phone and Cable companies; for example, users’ credit card numbers or e-mail addresses.

Notification requirements specifically do not apply to the broader class of "information society services,"^[113] which are covered by Directive 2000/31/EC.^[114]The definition of "Information Society Services" is broad, essentially encompassing any paid service which utilizes modern communication systems ^[115] in order to provide service.^[116] In the information age, this includes almost every conceivable service with customer interactions. ^[117] United States BNLs, in contrast, make few (if any) regulatory distinctions based on economic sector. However, these directives are under review by the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (Working Party).The Working Party has recommended that the ’58 Directive be extended to Information Society Services, arguing that an extension “is necessary given the ever increasing role these services playing the daily lives of European citizens, and the increasing amounts of personal data processed by these services.”^[118]

Breach of the Security of the Network

Neither the ’58 nor ’21 Directives clearly define what constitutes a “breach,” or whether a notification requirement accrues to a breaching entity.However, ’58 imposes a duty to notify service subscribers of “particular risk[s] of a breach of the security of the network,” along with tips to mitigate the risk.^[119]Presumably, an actual breach would constitute a “particular[ly high] risk of a breach,” and would therefore incur a duty to notify.

Notice

The Directives anticipate that every breach will be reported to a national regulatory agency, but may not be reported to individuals if the breach does not pose a substantial risk.^[120] Absent an explicit duty to notify individuals, the Working Party recommends that “security breaches should be notified to data subjects when they may lead to adverse effects to individuals’ privacy and data protection.”The notification should be in a harmonized format, which includes clear and objective criteria that assist in assessing adverse effects of the breach.^[121]

At least one proposed amendment to the data privacy directives would create a safe harbor for organizations which meet a minimum duty of care by installing “appropriate technological protection measures” to secure personal information, exempting them from all breach notifications. However, the Working Party opposes the amendment because, “[a]ffected users may only be in the position to take appropriate measures to mitigate the risks they are facing if they have been adequately informed…regardless of the technical measures that were actually taken to protect their data.”^[122]

Authorized Use

United States BNLs grant authority to use personal information in property law terms such as “owning” or “licensing” data. Bad-faith, unauthorized use constitutes a breach. Similarly, in the EU, authority to use personal information emanates from the entity which possesses it, though the Directives do not invoke a property-like concept of personal information.^[123]The ’58 Directive further creates an affirmative duty to restrict access to personal information from third parties, limiting access “to what is necessary” for any given activity.^[124] The intent of the ’58 Directive is to require third parties acting under the authority of service providers to assume strict duties to protect the information.^[125]

Definition of Personal Information

In the United States, protected personal information typically consists of narrow classes of information.However, the ’58 directive indicates that personal data incorporates a broad range of information about a person, including "traffic data,"^[126] "location data,"^[127] and line items in itemized bills.^[128]

In contrast to the United States, the Directives are silent about whether encrypting or redacting personal information nullifies a breach. However, the Working Party Opinion 2.2 seems to indicate that even breaches of encrypted personal information must be reported to a national regulatory agency.^[129]

Likelihood of Harm or Misuse

EU laws also integrate risk analysis in determining whether notification is necessary.In the US, several states incorporate a "Likelihood of Harm or Misuse" test when determining whether a breach has occurred. In the EU, no analogous Risk Analysis test currently applies. However, the Working Group recommends creating a Risk Analysis test, not for purposes of determining whether a breach occurred, but whether an individual notification requirement exists. Such a test would attempt to avoid unnecessarily alarming individuals or flooding authorities with minor cases by considering several factors, including: The amount of data breached, the sensitivity of the data, the potential for adverse effects like identity theft, financial loss, loss of business or employment opportunities, etc.^[130]

Other Duties

In order to comply with the ’58 Directive, communication sector services owe several duties to subscribers. These duties can establish a minimum duty of care and standard of negligence in civil litigation. They include taking appropriate software and encryption measures to protect personal information,^[131] and to fully inform subscribers of potential risks to their personal information.^[132]

Enforcement

Directive 2002/58/EC anticipates that each EU nation will provide judicial remedies for failure to comply with the requirements.^[133]The Working Party also recommends that national regulatory authorities should be authorized to independently disclose a breach to the public, and impose fines if a service provider fails to fully report a personal data breach.^[134] Detecting a concealed breach may require auditing and additional regulation.

^[1] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Me. Rev. Stat. tit. 10 § 1348(1)(A); Md. Code, Com. Law § 14-3504(b)(1) (Requiring an investigation when the entity becomes aware of a breach.);La. Rev. Stat. § 51:3074(G) (Imposing a duty to investigate when personal information was or was "reasonably believed to have been acquired by an unauthorized person.").

^[2] See American Recovery and Reinvestment Act (ARRA), Subtitle D. http://www.opencongress.org/bill/111-h1/text

^[3] See American Recovery and Reinvestment Act (ARRA), Subtitle D. http://www.opencongress.org/bill/111-h1/text

^[4] Cal. Civ. Code §§ 1798.82-84.

^[5] See, e.g. N.H. Rev. Stat. § 359-C:2.

^[6] See, e.g. Ga. Code § 10-1-910(4),(7).

^[7] Ark. Code § 4-110-102(a)-(b); Cal. Civ. Code § 1798.81.5(a); R.I. Gen. Laws § 11-49.2-2(1).

^[8] R.I. Gen. Laws § 11-49.2-2(1); Ga. Code: 10-1-910(6)-(7).

^[9] N.H. Rev. Stat. 359-C:2(I)-(II).

^[10] See, e.g. Minn. Stat. § 325E.64 Subd. 3(5).

^[11] Treating Data as Property has few legal roots in intellectual property law, treated either as first- or third-party property. Most personal information, such as names, addresses, phone numbers, and social security numbers, are facts. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.Although innovative arrangements of information are themselves copyrightable, facts are not. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. "As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.")Patent law protects novel methods, processes, and physical compounds, but does not create first- or third-party ownership interests in personal information. 35 U.S.C.A. §§ 101-102. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.

^[12] Cal. Civ. Code § 1798.81.5(a); R.I. Gen. Laws § 11-49.2-2(1); Ark. Code § 4-110-103(6).

^[13] See, e.g., Ark. Code§ 4-110-105(b); Cal. Civ. Code§ 1798.82(b); Colo. Rev. Stat.§ 6-1-716(2)(b); Conn. Gen Stat.§ 36a-701b(c); Del. Code tit. 6,§ 12B-102(b); Fla. Stat.§ 817.5681(2)(a); Ga. Code§ 10-1-912(a); Haw. Rev. Stat.§ 487N-2(b); Idaho Code§ 28-51-105(2); Ind. Code§ 4-1-11-6(a); Kan. Stat.§ 50-7a02(b); La. Rev. Stat.§ 51:3074(B); Me. Rev. Stat. tit. 10§ 1348(2); Md. Code, Com. Law§ 14-3504(c)(1); M.G.L.A.§ 3(a); Mich. Comp. Laws445.72 § 12(2); Minn. Stat.§ 325E.61 Subdiv. 1(b); Mont. Code§ 30-14-1704(2); Nev. Rev. Stat.§ 603A.220(2); N.Y. Gen. Bus. Law§ 899-aa(1)(d)(3).

^[14] Cal. Civ. Code § 1798.80(b).

^[15] Cal. Civ. Code § 1798.82(d).

^[16] Haw. Rev. Stat. § 487N-2(a) (Requiring notification of a breach of personal information in any form, "whether computerized, paper, or otherwise.")

^[17] California’s prototypical statute reaches “well beyond California’s borders, potentially affecting any company, person or agency that has a computer database containing any California resident’s ‘personal information.”’ Tyler Paetkau & Roxanne Torabian-Bashardoust, California Deals with ID Theft: The Promise and the Problems, Bus. L. Today, May-June 2004, at 37, 37.

^[18] Ariz. Rev. Stat. § 44-7501(A), (L)(5) (2007 S.B. 1042, Chapter 23)

^[19] See, e.g., Mont. Code Ann. §§ 30-14-1702(1)(a), -1704(1)-(2) (2005) (imposing a notification duty on “[a]ny person or business that conducts business” and defining a business as “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution…or the parent or the subsidiary of a financial institution.”); N.D. Cent. Code § 51-30-02 (Supp. 2005) (creating an obligation to notify for “[a]ny person that conducts business”).

^[20] See e.g., Ohio Rev. Code § 1347.12.

^[21] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(5) (2007 S.B. 1042, Chapter 23) (exempting notification requirements for breaches made by public safety officials, courts, and municipal prosecutors); Ga. Code Ann. §§ 10-1-911(2), -912(a) (Supp. 2005) (exempting “any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes”).

^[22] Ariz. Rev. Stat. §44-7501 (J)(1); Colo. Rev. Stat. § 6-1-716(2)(p); Mich. Comp. Laws §445.72 (8)(b); N.H. Rev. Stat. §359-C:20 (VI)(b); Oregon, 2007 S.B. 583, Chapter 759 Section 3(8)(c); Tenn. Code § 47-18-2107(i); D.C. Code § 28-3852(c); Vt. Stat. tit. 9 § 2445 (d)(1) (exempting financial institutions from duty to destroy personal information).Though the GLB requires financial institutions to publicize their privacy policies, and establish internal safeguards and procedures to protect consumer personal information, the statute does not require consumer notification in case of a breach. Gramm-Leach-Bliley Act of 1999, Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801–6809.

^[23] Ariz. Rev. Stat. §44-7501 (J)(2); Cal. Civ. Code §1798.81.5(e)(3); Haw. Rev. Stat. § 487N-2(g)(2); Mich. Comp. Laws § 445.72 Sec. 12(10); Oregon, 2007 S.B. 583, Chapter 759 Sec. 12(2)(c); R.I. Gen. Laws § 11-49.2-7; Vt. Stat. tit. 9 § 2445 (d)(2) (exempting health insurers and health care facilities from duty to destroy personal information).Until recently, entities covered by HIPAA were not required to notify individuals of breaches. See American Recovery and Reinvestment Act (ARRA), Subtitle D. http://www.opencongress.org/bill/111-h1/text

^[24] Vt. Stat. tit. 9 § 2445 (d)(3) (exempting consumer reporting agencies from duty to destroy personal information).

^[25] Oregon, 2007 S.B. 583, Chapter 759 Section 3(8)(b).

^[26] See, Ga. Code Ann. §§ 10-1-911(2), -912(a) (Supp. 2005) (limiting the obligation to “information brokers,” or “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties.”Coincidentally, the major data broker ChoicePoint is headquartered in Georgia. ChoicePoint suffered a large and well-publicized data breach in 2005.).

^[27] Me. Rev. Stat. tit. 10 §1347 (6)(E) (2005).

^[28] See e.g., BuisinessWeek. Firm to settle suits stemming from employee’s theft of records, April 12, 2008, http://investing.businessweek.com/research/stocks/news/article.asp?docKey=600-200804120545KRTRIB__BUSNEWS_17116-3JDVBU48S0DAEKQKKHUA7RFHFT×tamp=04/12/2008%205:45%20AM%20ET&headline=Firm%20to%20settle%20suits%20stemming%20from%20employee’s%20theft%20of%20records%20%5BThe%20Kansas%20City%20Star%2C%20Mo.%5D&docSource=Knight%20Ridder/Tribune&provider=ACQUIREMEDIA&symbol=SAI (Accessed June 13, 2008).

^[29] Cal. Civ. Code § 1798.82(d).

^[30] See, e.g., Cal. Civ. Code § 1798.81.5(a),(b). Ark. Code § 4-110-104(b).

^[31] Cal. Civ. Code § 1798.82(a).

^[32] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Me. Rev. Stat. tit. 10 § 1348(1)(A); Md. Code, Com. Law § 14-3504(b)(1) (Requiring an investigation when the entity becomes aware of a breach.);La. Rev. Stat. § 51:3074(G) (Imposing a duty to investigate when personal information was or was "reasonably believed to have been acquired by an unauthorized person.").

^[33] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1) (2007 S.B. 1042, Chapter 23); Cal. Civ. Code § 1798.82(a); Colo. Rev. Stat. § 6-1-716(1)(a); Conn. Gen Stat. § 36a-701b(a); Del. Code tit. 6, § 12B-101(1); Fla. Stat. § 817.5681(4); Ga. Code § 10-1-911(1); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 530/5; Ind. Code § 4-1-11-2(a); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(2); Me. Rev. Stat. tit. 10 § 1347(1); Md. Code, Com. Law § 14-3504(a)(1); M.G.L.A. 93H § 1(a); Mich. Comp. Laws § 445.63(3)(b); Minn. Stat. § 325E.61(1)(a); Mont. Code § 30-14-1704(1); Nev. Rev. Stat. § 603A.020; N.J. Stat. § 56:8-161(10); N.Y. Gen. Bus. Law § 899-aa(1)(c); Ohio Rev. Code § 1347.12(2)(a); Tenn. Code § 47-18-2107(a)(1); Utah Code § 13-44-102(1)(a); Vt. Stat. tit. 9 § 2430(8)(A); D.C. Code § 28-3851(1).

^[34] N.Y. Gen. Bus. Law § 899-aa(c).

^[35] See, e.g., Cal. Civ. Code § 1798.82(a); R.I. Gen. Laws § 11-49.2-3(a); Wash. Rev. Code § 19.255.010(1); Ark. Code § 4-110-105(a)(1) (Requires notification when a breach is "reasonably believed" to have occurred.).

^[36] See, e.g., Fla. Stat. § 817.5681(4); Idaho Code § 28-51-104(2).

^[37] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1); Ark. Code § 4-110-103(1)(B); Cal. Civ. Code § 1798.82(d); Colo. Rev. Stat. § 6-1-716(1)(a); Del. Code tit. 6, § 12B-101(1); Fla. Stat. § 817.5681(7); Ga. Code § 10-1-911(1); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 815 ILCS 530/5; Ind. Code § 4-1-11-2(b)(1); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(2); Md. Code, Com. Law § 14-3504(a)(2); M.G.L.A. § 1(a); Mich. Comp. Laws 445.63 § 3(b)(i); Minn. Stat. § 325E.61(1)(b); Mont. Code § 30-14-1704(1); Nev. Rev. Stat. Nev. Rev. Stat. § 603A.020; N.J. Stat. N.J. Stat. § 56:8-161(10); N.Y. Gen. Bus. Law N.Y. Gen. Bus. Law § 899-aa(1)(c); Ohio Rev. Code § 1347.12(2)(a), § 1347.19(A)(1)(b)(i).

^[38] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1); Colo. Rev. Stat. § 6-1-716(1)(d)(I); Conn. Gen Stat. § 36a-701b(a); Del. Code tit. 6, § 12B-101(1); Ga. Code § 10-1-911(5); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 815 ILCS 530/5; Ind. Code § 4-1-11-5(a); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(4)(a); Me. Rev. Stat. tit. 10 § 1347(6); Md. Code, Com. Law § 14-3501(d)(1); M.G.L.A. § 1(a); Mich. Comp. Laws 445.72 § 12(1)(a); Minn. Stat. § 325E.61(1)(a); R.I. Gen. Laws § 11-49.2-3(a); Tenn. Code § 47-18-2107(a)(1); Utah Code § 13-44-102(1)(b); Vt. Stat. tit. 9 § 2430(5)(A); D.C. Code § 28-3851(1).

^[39] Ind. Code § 24-4.9-2-2(b)(2).

^[40] See, e.g., Utah Code § 13-44-102(3).

^[41] See, e.g., Colo. Rev. Stat. § 6-1-716(1)(a).

^[42] See, e.g., Ark. Code § 4-110-103(1)(A).

^[43] See, e.g., M.G.L.A. 93H § 1(a).

^[44] Cal. Civ. Code § 1798.81.5(d)(1), 1798.82(e).

^[45] See, e.g., Ind. Code § 4-1-11-3(b)(1); Nev. Rev. Stat. 603A.040(3); see also Ohio Rev. Code § 1347.12(A)(9) (Stating that a Social Security Number is properly redacted if only the last four digits are exposed).

^[46] N.H. Rev. Stat. § 359-C:20(I)(a); Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Md. Code, Com. Law § 14-3504(b)(2); Mich. Comp. Laws 445.72 § 12(1).

^[47] Ariz. Rev. Stat. § 44-7501(K)(1) (2007 S.B. 1042, Chapter 23).

^[48] Namely, 1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).

^[49] See, e.g., Haw. Rev. Stat. §487N-2(d)(1) (Requiring that notice of the breach describe "[t]he incident in general terms."). See also, Mich. Comp. Laws § 359-C:20(IV)(a).

^[50] Cal. Civ. Code § 1798.82 (g).

^[51] See, e.g., Colo. Rev. Stat. § 6-1-716(1)(c)(II).

^[52] See, e.g., Ariz. Rev. Stat. § 44-7501(E); Cal. Civ. Code § 1798.82(h); Colo. Rev. Stat. § 6-1-716(3); Ga. Code §§ 10-1-911(3)(C)(iii)

^[53] See, e.g., Mich. Comp. Laws 445.72 § 12(1)(a); Cal. Civ. Code § 1798.81.5(c); Ariz. Rev. Stat. § 44-7501(B); Ark. Code § 4-110-105(b).

^[54] See, e.g., Ark. Code § 4-110-105(e)(3)(A)(iii).

^[55] N.H. Rev. Stat. 359-C:20 (III)(d); see also, Vt. Stat. tit. 9 § 2435(b)(5)(B) (Allowing substitute notice if the cost exceeds $5,000 or the class of affected individuals exceeds 5,000).

^[56] Neb. Rev. Stat. § 87-801 (4)(e); Ohio Rev. Code § 1347.12(E)(5).

^[57] Wyo. Stat. § 40-12-502 (d)(iii).

^[58] See, e.g., Cal. Civ. Code § 1798.82(g)(3) (Requiring persons to demonstrate a $250,000 cost or class of affected individuals over 500,000); Haw. Rev. Stat. § 487N-2(e)(4) (Requiring persons to demonstrate a $100,000 cost or class of affected individuals over 200,000).

^[59] See, e.g., Cal. Civ. Code § 1798.82(g).

^[60] See, e.g., Cal. Civ. Code § 1798.82(a).

^[61] Md. Code, Com. Law § 14-3504(b)(2).

^[62] Fla. Stat. § 817.5681(1)(a); Wis. Stat. § 895.507(1)(cm)(3).

^[63] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(d) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); Ga. Code § 10-1-912(d) (Must notify all consumer reporting agencies where breach exceeds 10,000 people); Haw. Rev. Stat. § 487N-2(f) (Must notify all consumer reporting agencies and Hawaii’s Office of Consumer Protection where breach exceeds 1,000 people); 815 ILCS 530/12(d) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); Ind. Code § 4-1-11-10 (State agencies must notify all consumer reporting agencies where breach exceeds 1,000 people); Kan. Stat. § 50-7a02(f) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); La. Rev. Stat. 32:4 (Must notify Louisiana Attorney General); Me. Rev. Stat. tit. 10 § 1348(4),(5) (Must notify all consumer reporting agencies, Department of Professional and Financial Regulation, or Attorney General where breach exceeds 1,000 people); Md. Code, Com. Law § 14-3504(h) (Must notify Maryland Attorney General); M.G.L.A. 93H § 3(b) (Must notify the Director of Consumer Affairs, Attorney General, and consumer reporting agencies); Mich. Comp. Laws 445.72 § 12(8) (Must notify all consumer reporting agencies where breach exceeds 1,000 people).

^[64] See, e.g., N.H. Rev. Stat. § 359-C:20(I)(b) ("Nothing in this section shall be construed to require the person to provide to any regulator or the New Hampshire attorney general’s office the names of the individuals entitled to receive the notice or any personal information relating to them.")

^[65] Pisciotta v. Old Nat’l Bancorp., 499 F.3d 629, 637 FN 8 (7th Cir. 2007) (Louisiana law "provides as the exclusive remedy an action by the Attorney General against the database owner.").

^[66] See, e.g., Ariz. Rev. Stat. § 44-7501(H); Ark. Code § 4-110-108; Colo. Rev. Stat. § 6-1-716(4); Kan. Stat. § 50-628; Me. Rev. Stat. tit. 10 § §1349(1); Minn. Stat. § 325E.61 Subd. 6; N.D. Cent. Code § 51-30-07; Ohio Rev. Code § 1347.12(G); Tenn. Code § 47-18-2105(a).

^[67] See, e.g., 815 ILCS 530/12 Sec. 20. ("A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act"); Tenn Code § 47-18-2106(b) ("any violation of the provisions of this part shall be construed to constitute an unfair or deceptive act or practice"); Conn. Gen Stat. § 36a-701b(g).

^[68] See, e.g., D.C. Code § 28-3853(b) ("Attorney General may recover a civil penalty not to exceed $100 for each [residents' breached information], the costs of the action, and reasonable attorney’s fees.").

^[69] Ariz. Rev. Stat. § 44-7501(H).

^[70] Tex. Bus. & Com. Code § 48.201.

^[71] N.Y. Gen. Bus. Law § 899-aa(6)(a) (A "court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars.");

^[72] Fla. Stat. § 817.5681(1)(b)(2).

^[73] Mich. Comp. Laws § 445.72 Sec. 12(13) (Recovery of civil fine of not more than $250 for each individual, not totaling more than $750,000.00).

^[74] See, e.g., Utah Code § 13-44-301(1)-(2)(a) ("Nothing in this chapter creates a private right of action").

^[75] Del. Code tit. 6, § 12B-104 ("The provisions of this chapter are not exclusive and do not relieve an individual or a commercial entity subject to this chapter from compliance with all other applicable provisions of law."); Wyo. Stat. § 40-12-502(f) (The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.)

^[76] Cal. Civ. Code § 1798.84(b) ("Any customer injured by a violation of this title may institute a civil action to recover damages."); Minn. Stat. § 13.05 Subd. 5(2).

^[77] Cybesecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.Rev. 255, 305-311 (2005).(Noting the analogy between toxic torts and cybersecurity breaches.);

^[78] Potter v. Firestone Tire & Rubber Co., 863 P.2d 795, 821 (Cal. 1993) (citing Ayers v. Twp. of Jackson, 525 A.2d 287, 308 (N.J. 1987)). See also, Badillo v. American Brands, Inc., 16 P.3d 435, 439 (Nev. 2001).

^[79] Stollenwerk v. Tri-West Healthcare Alliance, No. 03-0185PHXSRB, 2005 WL 2465906, at *4 (D. Ariz. Sept. 6, 2005) (But, "as a matter of law identity theft and credit monitoring must still be differentiated from toxic torts and medical monitoring"); see also People v. Ware, No. H025167, 2003 WL 22120898, *2 (Cal. Ct. App. Sept. 11, 2003) (affirming an award of restitutionary damages to a victim of identity theft, including “$100 per year for monitoring the adverse consequences on her credit rating”).

^[80] Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705, 709-12 (S.D.Ohio 2007); Henry v. Dow Chemical Co., 473 Mich. 63, 701 N.W.2d 684, 692 (2005) (Rejecting the medical monitoring analogy, concluding that "our common law requires a present injury in addition to economic loss incurred as a result of that injury.").

^[81] Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705, 709-12 (S.D.Ohio 2007); see also, Ponder v. Pfizer, 522 F.Supp.2d 793, 798 (M.D. Louisiana 2007) (Holding that actual damages are only realized when "someone actually use[s] the disclosed information to [plaintiff's] detriment."); Hendricks v. DSW Shoe Warehouse, Inc., 444 F.Supp.2d 775 (W.D.Mich. 2006) (Holding that "purchase of a credit monitoring product" is not "actual damages or a cognizable loss."); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1020-21 (D.Minn. 2006) (Holding that "expenditure of time and money" for credit monitoring does not constitute injury or damages because it "was not the result of any present injury, but rather the anticipation of future injury that has not materialized.""[T]hreat of future harm, not yet realized, will not satisfy the damage requirement."); Key v. DSW, Inc., 454 F.Supp2d at 690 (Holding that an "alleged increase in risk of future injury is not an ‘actual or imminent’ injury," and must therefore fail.).

^[82] Randolph v. ING Life Insurance and Annuity Co., 486 F.Supp.2d 1, 11 (U.S. District Court, DC 2007) (Holding that in a stolen laptop case where no evidence of fraud or identity theft has occurred, "[p]laintiffs have failed to allege an injury in fact and thus lack Article III standing."); Nat’l Treasury Employees Union, 101 F.3d at 1427 (citing Lujan, 504 U.S. at 560, 112 S.Ct. 2130, 119 L.Ed.2d 351); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (Holding that standing is an "irreducible constitutional minimum.").

^[83] Pisciotta v. Old Nat’l Bancorp., 499 F.3d 629, 639-40 (7th Cir. 2007) (Refusing to compensate for "emotional distress and worry that third parties will use [the plaintiffs'] confidential personal information to cause economic harm.").

^[84] Brent Wible, A Site Where Hackers Are Welcome: Using Hack-In Contests to Shape Preferences and Deter Computer Crime, 112 Yale L.J. 1577, 1581-85 (2003), at 1582 (Contending that “hackers tend to be judgment proof”).

^[85] Bell v. Michigan Council, Not Reported in N.W.2d, 2005 WL 356306 at *5 (Mich.App.).

^[86] Minn. Stat. § 13.05 subd. 5(2).

^[87] Scott v. Minneapolis Public Schools, Special Dist. No. 1, No. A05-649, 2006 WL 997721 (Minn. App. Apr. 18, 2006).

^[88] Scott v. Minneapolis Public Schools, Special District No. 1, Not Reported in N.W.2d, 2006 WL 997721, *3 (Minn.App. 2006) (Holding that Minn.Stat. § 13.02, subd. 16 (2002) and § 13.08, subd. 1 creates a duty to individuals, not just a broad duty against disclosure of records.).

^[89] Cybesecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.Rev. 255 (2005).

^[90] Palsgraf v. Long Island Railroad Co., 162 N.E. 99, 100 (N.Y. 1928).

^[91] Kline v. 1500 Massachusetts Avenue Apartment Corp., 439 F.2d 477 (D.C. Cir. 1970).

^[92] McGrath v. Zenith Radio Corp., 651 F.2d 458, 468 (7th Cir. 1981) (Holding that the failure to correct earlier true statements which have become false or misleading was fraudulent); see e.g., Note 134, where a breaching entity continues to assert that "your personal information is safe," in the wake of a severe data breach. But see Note 64, where a business responds to a data breach by attempting to disclaim all duties.

^[93] Rest. 2d Torts § 652C cmt (1977) (Explaining that "[if] the benefit derived from the sale in no way relates to the social or commercial standing of the person whose information is sold… [then] a person whose personal information is sold does not have a cause of action for appropriation against the [person] who sold the personal information.").

^[94] See generally, Restatement (Third) of Torts: Liab. for Physical Harm § 42 (Proposed Final Draft No. 1, 2005) (discussing duty based on undertaking).

^[95] Minn. Stat. § 325E.64 Subd. 3.

^[96] Minn. Stat. § 325E.61 Subd. 6.

^[97] Citation Pending.

^[98] Ariz. Rev. Stat. §44-7501 (J)(2); Cal. Civ. Code §1798.81.5(e)(3); Haw. Rev. Stat. § 487N-2(g)(2); Mich. Comp. Laws § 445.72 Sec. 12(10); Oregon, 2007 S.B. 583, Chapter 759 Sec. 12(2)(c); R.I. Gen. Laws § 11-49.2-7; Vt. Stat. tit. 9 § 2445 (d)(2) (exempting health insurers and health care facilities from duty to destroy personal information)

^[99] American Recovery and Reinvestment Act, H.R. 1, § 13402(a).

^[100] 45 CFR 160.103.

^[101] ARRA, H.R. 1, § 13402(f)(2).

^[102] ARRA, H.R. 1, § 13402(b).

^[103] ARRA, H.R. 1, § 13402(b).

^[104] ARRA, H.R. 1, § 13400.

^[105] ARRA, H.R. 1, § 13402(h)(1)(A)-(B).

^[106] ARRA, H.R. 1, § 13402(d)(1).

^[107] ARRA, H.R. 1, § 13402(d).

^[108] ARRA, H.R. 1, § 13402(f).

^[109] Directive 2002/58/EC Preamble (21)

^[110] Directive 2002/58/EC Preamble (30)

^[111] Directive 2002/21/EC Article 2(c).

^[112] Directive 2002/58/EC Article 3(1).

^[113] Directive 2002/21/EC Article 2(c).

^[114] Directive 2000/31/EC, currently does not require consumer notification for breaches.

^[115] Directive 2002/21/EC Article 2(a) defines "electronic communications network" as “transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed;”

^[116] Directive 2002/21/EC Article 2(c).

^[117] Directive 98/34/EC as amended by Article 1(2) of Directive 98/48/EC defines an Information Society Service as "…any service normally provided for remuneration, at a distance, by electronic means… [except] radio…[and] television broadcasting services."

^[118] Working Party Opinion 2.1

^[119] Directive 2002/58/EC Article 4(2).

^[120] Working Party Opinion 2.1, “Notwithstanding their obligation to notify the competent national regulatory authorities of all breaches whenever there is a risk of adverse effects, service providers should determine if notification to subscribers or individuals is required.”Working Party Opinion 2.2 “…breach notifications [to national regulatory agency] should include information about the circumstances of the breach, including whether personal data had been protected by encryption…”

^[121] Working Party Opinion 2.1.

^[122] Working Party Opinion 2.2.

^[123] Directive 2002/58/EC Articles 6(5), 9(3) requires personal information to be used only by persons “acting under the authority of” the communications providers.

^[124] Directive 2002/58/EC Articles 6(5), 9(3)

^[125] Directive 2002/58/EC Preamble (32): “Where the provider of an electronic communications service or of a value added service subcontracts the processing of personal data necessary for the provision of these services to another entity, such subcontracting and subsequent data processing should be in full compliance with the requirements regarding controllers and processors of personal data as set out in Directive 95/46/EC.”

^[126] Directive 2002/58/EC Article 2(b).

^[127] Directive 2002/58/EC Article 2(c).

^[128] Directive 2002/58/EC Article 7(1).

^[129] “…breach notifications [to national regulatory agency] should include information about the circumstances of the breach, including whether personal data had been protected by encryption…”

^[130] Working Party Opinion 2.1, fn.4, “The qualitative and quantitative criteria for assessing the impact of adverse effects will need to be defined precisely during the commitology procedure…”

^[131] Directive 2002/58/EC Article 4(1), Preamble (20).

^[132] Directive 2002/58/EC Article 4(2), Preamble (20).

^[133] Directive 2002/58/EC Preamble (47).

^[134] Working Party Opinion 2.1.

How to Write an ARRA Breach Notification Letter

Titus — Wed, 01 Apr 2009 21:48:08 +0000

Note:This article originally appeared on the Jeffrey Neu Blog.

“We’ve had a breach.” It’s a sentence nobody wants to hear, but when it happens to you, what to you do? If you’re in the healthcare industry, new federal regulations probably require you write a letter to the victims of the breach, or more. When and how quickly do you have to send a HIPAA/ ARRA notification? And what does it have to say?

The American Recovery and Reinvestment Act of 2009 (ARRA) requires HIPAA-covered entities to notify breach victims when protected health information has been disclosed to an unauthorized person. The legislation gives liberal exceptions for good faith and inadvertent disclosure. Redaction or encryption is an absolute defense to a breach.

“Protected Health Information” is any stored or transmitted health information which can be tied to an individual. It may include information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code. The law also requires third-party contractors or “business associates” to report breaches to the covered entity.

A breach notification letter must meet differing but complementary legal and economic goals. They include:

Complying with law

Minimizing Losses

Repairing your company’s public image

Regaining your customers’ trust

Mitigating civil liability

Compliance with Law

Complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

Date of the breach;
Date of discovery;
Description of the types of protected health information breached;
Steps individuals should take to protect themselves from potential harm resulting from the breach;
A brief description of the investigation, efforts to minimize losses and prevent future breaches;
Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Repairing your Company’s Image

Avoid the natural tendency to clamp up. Of course, the best way to protect your company’s image is to keep bad news out of the public eye. But once the cat’s out of the bag, several studies indicate that more than two-thirds of economic losses arising from a data breach are due to brand diminishment and lost customer trust, rather than litigation or identity theft expenses.

Above all, your company must maintain credibility. Be honest, open, and share enough detail to convince an educated person that you know what you’re talking about, and that you’ve actually fixed the problem. Consider hiring an outside security consultant who can 1. Give you genuine feedback on your security practices, and 2. Vouch for your credibility when you say that your customers are safe.

Rebuilding Customer Trust

Consider your last trip to the Department of Motor Vehicles. It probably consisted of waiting for hours in multiple serpentine lines without any direction, followed by more waiting, followed by spending money. The best part is riding away in your car when you’re done. Surprisingly, Disneyland and the DMV have a lot in common: Long lines, spending money, and rides. What sets the DMV apart from the happiest place on earth? One important ingredient is Customer Empowerment.

One way the Disney folks empower customers is by posting periodic signs in long lines: “Wait Time: 45 minutes from this point.” Though the sign does not decrease wait time, it informs and empowers customers. And as Disney knows, empowered customers are happy customers. Frustrated, angry customers are far more likely to cause trouble or leave altogether.

The best way to rebuild your customers’ trust is to empower them. Too many breach notifications include the unhelpful statement, “We have no reason to believe that anyone has accessed or misused your information.” The statement is faulty because it does not empower the customer to take action. Also, if the statement isn’t completely true, or if it changes in the future, it may inadvertently induce liability under certain circumstances. Further, these types of statements tend to frustrate rather than empower customers, causing some to conclude that the notification is incomplete or disingenuous.

Instead, consider these options:

Say, “Although we have no reason to believe that anyone has accessed or misused your information, if you think your personal information has been misused as a result of this breach, please call 1-800-XXX-XXXX so we can investigate…”
Include statistics on typical rates of harm for similar breaches, where possible.
Actually investigate the breach.
Create a website where customers can get up-to-the minute updates on the investigation directly from you, rather than from the media (and update it after the media buzz has subsided).

Mitigating Civil Liability

ARRA does not expressly create a private right of action for a HIPAA breach. Other theoretical sources of liability exist, though. For example, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the company fails to warn customers about foreseeable risks to personal information.

In contrast, most breaches are not likely to create privacy liability. Privacy tort actions usually require the breached information to cause extreme emotional distress, or a dilution of the property value of reputation or prestige. In addition, most courts have consistently failed to force companies to pay for credit monitoring services unless:

A person has become an actual victim of identity theft.
The person has found the thief
The person can prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and
The person proves that the entity had a legal obligation to keep that information private.

Instead, it’s important to remember that businesses stand to loose more money from brand diminishment and lost customer trust than from litigation.

Stimulus Package Federalizes Health Information Breach Notifications

Titus — Fri, 06 Mar 2009 14:49:23 +0000

Note: This article was originally posted on JeffreyNeu.com.

Streamlining medical records has been a recurring theme of the Obama administration. Tucked away in the pending economic stimulus legislation, known as the American Recovery and Reinvestment Act (ARRA), is a provision which would create a breach notification requirement for health information breaches.

Starting in Subtitle D, ARRA takes an unprecedented foray into federalizing data breach notifications. Although ARRA regulates breaches of health information, this legislation will no doubt be front and center of future debates about creating a Federal Breach Notification Law.

Synopsis

Here is a quick analysis: ARRA mirrors most state breach notification laws, in that it requires “covered entities” (ie, Health Plans, Health Care Providers, and Health Care Clearinghouses) to notify each individual if their “unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of [a] breach.” Business Associates, or subcontractors, must alert the Health Care Provider of a breach. The statute also places additional limits on how health information can be sold and shared.
The statute dramatically broadens the ambiguous state-law concept of “data owners,” and applies to any HIPAA-covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information.”

As expected, the Federal law takes a lowest-common-denominator approach to duties. For example, although notifications must be made “without reasonable delay,” the statute allows up to 60 calendar days to comply. This is substantially longer than the longest state requirement, which requires notification within 45 days.
Each state notification law requires direct (ie mail) notification to affected individuals unless the person can’t be found, and allows “Substitute Notice” in cases of large breaches. “Substitute Notice” usually comprises posting an announcement on the organization’s website and notifying the media. Some states do not permit Substitute Notice unless the breach is extremely large (250,000+ in some cases). But ARRA allows substitute notice if the breach involves just 500 people in a single state.

The statute also reaches well beyond traditional “covered entities” to any service provider or vendor of personal health records. Presumably, this would include data warehouses like Google or Microsoft, each of which has or has announced plans to create online consumer health records warehouses. However, these vendors need only report the breach to the FTC, which will treat it as a deceptive trade practice. Individuals should not expect a letter from Google or Microsoft if their health care records are breached.

On one hand, this federal legislation will plug holes in several states statutes by regulating health information. Arizona, California, Hawaii, Michigan, Oregon, and Rhode Island, for example, regulate health care providers and insurers differently from other companies, and may even completely exempt them from notification requirements.

This bill will no doubt spur the national discussion about breach notification laws. But because they mimic existing state laws, the bill comes up short. Breach Notification Laws were a step in the right direction when California passed the first one almost seven years ago. But since that time, they have displayed several shortcomings, which I critique here. Instead of fixing these problems, ARRA will exacerbate many of them.

Cost of Data Breaches Rise

Titus — Wed, 04 Feb 2009 14:37:37 +0000

Note: This post originally appeared on JeffreyNeu.com.
ZD Net reports that the cost of a data breach has gone up 2.5% from 2007, according to research published by the Ponemon Institute.

After comparing data from 43 companies (including several repeat offenders), companies loose just over $200 per compromised record. Significantly, lost business due to a lack of customer trust and brand diminishment comprises 69% of the cost.

Forget about the cost of postage… businesses stand to loose much more in sales from customers who read, “We regret to inform you…”

The Top 5 Reasons You Won’t Hear About a Breach

Titus — Mon, 02 Feb 2009 15:11:02 +0000

Note: This article originally appeared on the Security Catalyst Blog.

I have personally discovered more than a hundred data breaches by schools, companies, doctors’ offices, tax professionals, government agencies, and individuals over the past several years. Unfortunately, very few of the breaching entities proactively announce an average breach, regardless of the law. Here are the most common reasons:

Failure to Detect
Market Devaluation of Privacy
Poor Communication
Ignorance of Law
Notification Difficulty

Failure to Detect

Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not keep proper logs. Thus, when a press releases reads, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”

Market Devaluation of Privacy

The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no hard proof of access exists) far outweigh any benefits.

In addition, most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your credit. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.” But they have no responsibility to help you recover from financial identity theft, medical identity theft, or criminal identity theft. Merely getting a credit report does not protect against any of these risks.

Poor Communication

A cruel irony of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization with the most incentive to skew the details. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible.

I have read dozens of breach announcements, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information unavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” Keeping a victim in the dark about the details protects only the breaching entity.

Ignorance of Law

Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.

Notification Difficulty

For the most part, organizations which choose not to report breaches get away with it. But even under good circumstances, 100% victim notification is impossible. People move, phone numbers change, or addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.

I have suggested solutions to some of these problems here and with the creation of National ID Watch

Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch.

In Defense of Breach Notification Laws (sort of)

Titus — Sat, 17 Jan 2009 19:53:27 +0000

Note: This article was originally published on the Security Catalyst Blog.

Starting with California’s 2003 law, all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped.

Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused.

Measures of BNL Success

With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.”

I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways:

Decreased Incidence of Identity Theft
Increased Awareness and Identity Control
Decreased Risk Behaviors and Incidence of Breach
Increased Victims’ Rights

1. Decreased Incidence of Identity Theft

Q: Do breach notification laws decrease identity theft?

A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft.

2. Increased Awareness and Identity Control

Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities?
A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements:

Who: The class of victims affected by the breach.
What: A complete list of exposed information, not just the ones required by law.
Where: Exposing entity’s contact information.
How and When: Sufficiently detailed information about the how and when the breach occurred.
How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster).
What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim.

Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large.

3. Decreased Risk Behaviors and Incidence of Breach

Q: Do breach notification laws decrease individual risk behavior?
A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction.

However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up.

An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy.

Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes.

It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time.

Q: Do breach notification laws encourage organizations to improve behavior?
A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing.

4. Increased Victims’ Rights

Q: Do Breach Notification Laws Create New Rights for Consumers?
A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking.

Legislative Improvements

Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers:

“Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property.
Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach.
Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution.
Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy
Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach.
Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit.

Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback.

Footnotes

Cal. Civ. Code §§ 1798.82-84.
See, e.g. N.H. Rev. Stat. § 359-C:2.
See, e.g. Ga. Code § 10-1-910(4),(7).
See, e.g. Cal. Civ. Code § 1798.81.5.(a).

Tenn. Code § 47-18-2102(1).

Florida State University Prof Posts 33 Students’ SSNs Online

Titus — Tue, 01 Apr 2008 14:02:16 +0000

TALLAHASSEE, Florida. The personal information of 66 Florida State University students sat on a public FSU Chemistry Department server for more than five years. Several files included names, 33 social security numbers, grades, homework and exam scores. All of the individuals affected by this breach appear to be former students of Dr. Steinbock, an FSU professor.

The Liberty Coalition discovered the files in late January, 2008 and notified the university. FSU quickly removed the files from the server, but they remained available through search engine caches until late March, 2008.

This incident falls into a nationwide pattern where university professors use public university servers to back up sensitive student personal information, either unaware of the sensitive information, or unaware that the information would be available to the public.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=73

Texas A&M Prof Posts Partial SSNs, Grades of Former Students Online

Titus — Tue, 01 Apr 2008 13:58:57 +0000

COLLEGE STATION, Texas. On November 21, 2000, someone posted the names, scores, Grades, and last five digits of 44 students’ social security numbers on a Texas A&M server. All affected students attended Dr. Clyde Munster’s Fall 1998 Hydrologic Principles in Agriculture class (AGEN 350). The Liberty Coalition discovered the files in late November, 2007. Though the university quickly removed the files from public access after notification, copies remained online through late March, 2008 in search engine caches.

This breach fits within a common pattern where university faculty or staff use university servers to store backed-up files, assuming that since the system requires a password to upload files, that the servers are private. Unfortunately, in this instance, some of Dr. Munster’s backed-up files contained sensitive information which was made available online and picked up by search engines.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=80