Note: This article was originally published on the Security Catalyst Blog.

Starting with California’s 2003 law, all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped.

Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused.

Measures of BNL Success

With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.”

I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways:

1. Decreased Incidence of Identity Theft
2. Increased Awareness and Identity Control
3. Decreased Risk Behaviors and Incidence of Breach
4. Increased Victims’ Rights

1. Decreased Incidence of Identity Theft

Q: Do breach notification laws decrease identity theft?

A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft.

2. Increased Awareness and Identity Control

Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities?
A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements:

• Who: The class of victims affected by the breach.
• What: A complete list of exposed information, not just the ones required by law.
• Where: Exposing entity’s contact information.
• How and When: Sufficiently detailed information about the how and when the breach occurred.
• How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster).
• What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim.

Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large.

3. Decreased Risk Behaviors and Incidence of Breach

Q: Do breach notification laws decrease individual risk behavior?
A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction.

However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up.

An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy.

Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes.

It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time.

Q: Do breach notification laws encourage organizations to improve behavior?
A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing.

4. Increased Victims’ Rights

Q: Do Breach Notification Laws Create New Rights for Consumers?
A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking.

Legislative Improvements

Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers:

1. “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property.
2. Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach.
3. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution.
4. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy
5. Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach.
6. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit.

Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback.

Footnotes

Cal. Civ. Code §§ 1798.82-84.
See, e.g. N.H. Rev. Stat. § 359-C:2.
See, e.g. Ga. Code § 10-1-910(4),(7).
See, e.g. Cal. Civ. Code § 1798.81.5.(a).

Tenn. Code § 47-18-2102(1).

TALLAHASSEE, Florida. The personal information of 66 Florida State University students sat on a public FSU Chemistry Department server for more than five years. Several files included names, 33 social security numbers, grades, homework and exam scores. All of the individuals affected by this breach appear to be former students of Dr. Steinbock, an FSU professor.

The Liberty Coalition discovered the files in late January, 2008 and notified the university. FSU quickly removed the files from the server, but they remained available through search engine caches until late March, 2008.

This incident falls into a nationwide pattern where university professors use public university servers to back up sensitive student personal information, either unaware of the sensitive information, or unaware that the information would be available to the public.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=73

COLLEGE STATION, Texas. On November 21, 2000, someone posted the names, scores, Grades, and last five digits of 44 students’ social security numbers on a Texas A&M server. All affected students attended Dr. Clyde Munster’s Fall 1998 Hydrologic Principles in Agriculture class (AGEN 350). The Liberty Coalition discovered the files in late November, 2007. Though the university quickly removed the files from public access after notification, copies remained online through late March, 2008 in search engine caches.

This breach fits within a common pattern where university faculty or staff use university servers to store backed-up files, assuming that since the system requires a password to upload files, that the servers are private. Unfortunately, in this instance, some of Dr. Munster’s backed-up files contained sensitive information which was made available online and picked up by search engines.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=80

STORRS, Connecticut. On or before July 24, 2003 former UConn Economics Professor, Dr. Stiver, loaded an Excel file to his University of Connecticut home page which contained the names, last 8 social security number digits, scores, and grades of 14 students. All of the affected individuals appeared to be Dr. Stiver’s former Economics 242 students.

University officials had already discovered the file during an internal audit in early February, 2008, before the Liberty Coalition was able to notify them of the exposure. By the time the Liberty Coalition contacted the University of Connecticut, they had already deleted the file, worked with all major search engines to clear their caches, and notified each affected student. To its credit, the University also offered each student two free years of credit checking, which is not technically required by law.

This exposure falls into a national pattern where professor will use university public servers to store sensitive personal information.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=81

HOBOKEN, New Jersey. Stevens Institute of Technology professor L.E. Levine posted a file with names, Social Security Numbers and Homework scores for 7 students who apparently took his course “MA681” in the Fall of 1999. According to the server personal.stevens.edu, the files were posted on or before April, 2001. Though Dr. Levine deleted them immediately after he was notified of the exposure, the information continued to be available through March, 2008 through search engine caches.

By placing this information online, Stevens Institute of Technology has put these students at increased risk of identity theft and other forms of fraud.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=71

IOWA CITY, Iowa. In the second exposure of sensitive information in as many months, the University of Iowa posted sensitive student information online. Two files were discovered in January, 2008 which appear to contain the names, grades, and last four digits of nine students’ social security number were posted on the Computer Sciences Department website. All of the students appear to have attended the Summer 2001 22c-112 course, taught by Aditya Kumar Sehgal, Ph.D.

According to the server, the information was posted online since at least November, 2004. Though the university acted quickly to delete the files from their servers, copies remained available through major search engine caches through late March, 2008.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=70

LANSING, Michigan. In late December, 2007 the Liberty Coalition discovered an excel file with the names, addresses, phone numbers, and emergency contact information for 125 students, parents, and others for Shabazz Public School Academy on their website. 69 of those affected are Pre-K through fifth grade students. Though no social security numbers or credit card numbers were exposed, some parents may be legitimately alarmed at the release of contact information for their young children.

The file was created on October 9, 2006. The school acted quickly to delete the file from their server and notify parents, but the file remained available through search engine caches until late February, 2008.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=78

DAYTON, Ohio. The Wright State University Computer Sciences Department has posted the names and last five digits of 38 students’ social security numbers on their website. All of the students affected seem to be former students of Dr. Junghsen Lieh, Ph.D. who took Materials Engineering courses between 1997 and 2005. In addition to the partial social security numbers, the individual scores and grades for roughly 395 students are also posted.

According to Dr. Lieh, the files were made during a large backup a corrupted and damaged PC in March 2006, though many of the files are considerably older than that. This breach falls within a common national pattern of faculty who use online university servers to back up files, some of which may be sensitive in nature. The Liberty Coalition notified Dr. Lieh, the Wright State University General Counsel. Though the files were deleted from the server within 24 hours, copies remained available through Yahoo’s search engine cache until late March, 2008.

Much of the information exposed in this incident may be protected by FERPA. In addition, the last four or five digits of the social security number are used by some financial institutions and businesses to extend credit, or as passwords.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=77