UNREPORTED BREACHES

I have encountered dozens of data breaches by schools, companies, doctors’ offices, and other organizations over the past two years. Of the many lessons I’ve gleaned from these experiences, one stands out: An alarming number of breaches go unreported. While the cause may differ from one instance to another, I have discovered several recurring themes:

• Entities Fail to Detect Breaches. Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not even keep proper logs. Thus, when many press releases read, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”
• Entities Underestimate the Severity of Breaches. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no proof of access exists) far outweigh any benefits. However, when the victims learn of the breach directly, or when the media is notified of the breach, organizations tend to take it more seriously.
• Victims Lack Sufficient Information to Advocate for their own Interests. One of the cruel ironies of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization responsible for the breach. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible. Without a complete understanding of what information was breached, victims are unable to be effective advocates for themselves.
• Organizations are Ignorant of Applicable Law, if it Exists. Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.
• Leaders are Uncertain of Proper Action. I think that most organization leaders intend to do the right thing. But in the event of a breach, some aren’t sure exactly what to do, how to make an announcement, who to notify, or under what circumstances they must make an announcement. And there aren’t many resources to help them figure things out.
• The Market does not Value Privacy. Privacy is expensive, but the costs of violating privacy are small. In many countries, privacy laws counteract the Market’s enmity toward privacy. The United States has precious few laws to counteract anti-privacy market forces. Until the Market recognizes the true costs to society for failing to protect privacy, privacy legislation is necessary.
• Ironically, the Victims’ Privacy May Shield the Breaching Entity. Every once in a while, a breaching entity will attempt to sacrilegiously wrap themselves in the victim’s cloak of privacy, they have just tattered. These entities might fail to report any relevant information about a breach on the false premise that they wish to protect the privacy of those affected. Of course, functionally keeping a victim in the dark about the extent of an identity breach does not protect him, it only protects the breaching entity.

And for the most part, organizations which choose not to report breaches get away with it.

REPORTED BREACHES

I believe that breaching organizations have at minimum a moral (and often legal) responsibility to notify victims of their risks. I also believe they have moral obligations to bear the true costs of their mistakes. However, even if a breach is detected and reported, full notification is functionally impossible under almost every circumstance, even among well-intentioned organizations:

1. Not everyone will read the press release. Most breaches have a media shelf life of only 24-72 hours. The assertion that every victim of an identity breach will hear about the breach and be able to identify himself as a victim within first 72 hours of media attention is ludicrous. However, a victim who misses the announcement remains at risk for years.
2. 100% contact is functionally impossible. Even if the breaching organization has a record of the victims’ contact information, the information may be out of date. People move, phone numbers change, and many addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Though direct contact is the best method of notification, even a good-faith effort of direct mailing and phone calling cannot ensure that everyone is notified. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.
3. The notification message is always incomplete. I have read dozens of breach press releases, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information ubavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” For reasons explained above, I have yet to read a single breach announcement that explains the full depth and breadth of a breach. The lack of information keeps victims in the dark about what their true risks are, and deny them the opportunity to be effective advocates for themselves.
4. Many breach notification laws are weak. Most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your life. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.”But they have no responsibility to help you clear your name when someone purchases a car or home in your name, or when someone commits a crime with your identity, or if an identity thief makes it impossible for you to qualify for medical insurance. Merely getting a credit report does not protect against many of these risks, and victims can’t look to the breaching entity for help.

UTOPIA

Some privacy advocates dream of a fairy tale Utopia where all victims of identity breach will receive a personalized phone call or letter, detailing the extent of the breach, and an explanation of exactly what risks they face.

It is a dream I do not share.

In fact, the more I think about this dream, the more nightmarish it becomes. In this “Utopia,” every organization you come in contact with– every store, school, business, church, club, or government agency– must collect a full battery of contact and personally identifiable information, with which to notify you of a potential future breach. Since the risk of breach can increase with time, these organizations would have to maintain updated records on your whereabouts, contact information, and identifiable information in perpetuity. To believe in such a privacy fairy tale world is not only naïve, but dangerous.

In late June 2007, I discovered approximately 163,000 social security numbers, and contact information for nearly 200,000 Louisianans, in nearly 200 online documents. The affected individuals appear to be mainly former Louisiana high school students born between about 1979 and 1987, as well as roughly 34,000 Louisiana state education employees. I have calculated that the files themselves have a street value of more than $4 million, and almost a billion dollars worth of potentially stolen credit.

The files were posted on a website belonging to the Louisiana State Board of Regents, which appeared to be an online interface for an internal network. The files with sensitive information were among internal documents, usernames, passwords, company e-mail, personnel records, personal documents, family photos, and pornography. While parts of the network were password-protected, the folders containing these 200 files were open to the public, and not password protected. Many of them were indexed by major search engines. While nobody knows exactly how long the files were exposed, WDSU in New Orleans reports that the files may have been online as long as 1-2 years. The Board of Regents has posted an advisory on the subject. They have indicated that

Any student who was enrolled in the 10th grade at a Louisiana public high school and took the EPAS (Educational Planning and Assessment) Plan test between 2001 and 2003, [and] Any Louisiana public college or university faculty or staff member who was employed in either 2000 or 2001 [are at risk].

As of the date of the breach, the Louisiana State Education system used a student’s Social Security Number as their student ID.

The Louisiana State Board of Regents acted quickly to take the website down once they became aware of its existence. They immediately notified the Department of Education and the Louisiana State Attorney General of the breach, and began an internal investigation. They also contacted Google, to request that they clear their search engine caches. By the first week in July, 2007 Google’s cache had begun to clear. On July 6th, I also contacted Google’s Associate General Counsel and Vice President of Engineering, and asked them to completely clear Google’s cache. Google’s caches were clear within several hours after the request.

This breach is so massive that unlike the Arkansas.gov breach, I am unable to directly contact all of the affected individuals. To assist the Board of Regents in notifying people affected by this breach, I am working with the Liberty Coalition to create a free victims’ resource online at www.ssnbreach.org. There, individuals are able to ascertain whether they were affected by this release of personal information, and learn what steps they can take to mitigate their own long-term risk. The website also contains resources from ftc.gov and other reputable organizations and companies. I was also able to negotiate discounts off the services of ID Theft protection on behalf of the victims, if they need it.

How www.ssnbreach.org Works
When a user visits www.ssnbreach.org, they may search for their name, to find out whether they were affected by this breach. Because ssnbreach.org does not contain Social Security Numbers, addresses, phone numbers, or any other sensitive data, users are not able to search by any criteria other than their names. Neither I nor the Liberty Coalition have any interest in becoming stewards of sensitive personal information.
SSNBreach.org does not store any social security numbers, or even complete addresses, etc. Instead, the website gives users a Yes/No report on whether their identity may have been compromised. This “Information Exposure Report” (IXR) also includes links to resources to help victims take protective action. Once an individual reads his IXR, he may choose to permanently hide key details of the report.

In order to help people with similar names to distinguish themselves, ssnbreach.org stores a small piece of distinguishing information such as a partial zip code, the first few digits of an address, or last few digits of a phone number. This is enough information for “John Smith” to be able to identify himself from among the other John Smiths, but is insufficient for a third party to positively identify or locate him, based solely on that information.

The first version of the website will go live tonight by 11:00 Eastern.