Monday, March 16, 2009

Disclose This!

Over the past five years there has been an inundation of breach disclosure laws at both state and federal levels, all designed to ‘help’ the individual. We’ve managed to create a whole new term for this called PII – Personally Identifiable Information (which varies considerably). But what is it really doing for us? Is it really incenting companies to protect our data? I think you only need to open the papers to say otherwise. It’s as if everything is ok as long as we know it happened. Would we accept a medical system that writes the obituaries when someone dies, but does nothing to prevent sickness and death?

Over the years, the US has been fairly unique in the promulgation of these types of laws. At least 38 states have laws on breach disclosure. The big start was California State Bill 1386. Here in Ohio we have our own House Bill 104. Oh, and here in Ohio about 1 in 10 people have had data disclosed just by the state. I was also lucky enough to have my personal information lost by my Alma Mater too, Ohio University (go Bobcats!). In many ways, the Red Flag rules that have all the banks running around are still the same thing. However, all the focus is on detecting and notifying about identify theft, NOT preventing it.

When I hear about a data breach, I have so many things going through my head, things that I also hear others say. “Oh gee, thanks for letting me know. That makes me feel good. What’s that? You’ll slap the wrist of the company that did it? Maybe issue a small fine? What? I don’t get part of that fine as compensation? What, that disclosure law can’t be used in a class action law suit?” It kind of makes you sick. But what have these laws really done for us? Most are too new to really know. But studies have shown that some of the early adopters of this approach like the FTC have seen NO significant reduction in breaches. If I may rephrase that, the laws are useless.

From a business perspective, I’ve talked with many clients about this topic and very few are really even truly aware of which disclosure laws apply. Additionally, many take a legal focus on how they can split hairs on wriggling out from any applicable laws. I constantly hear “when it happens, we’ll just sit down and make a determination” i.e. a very reactive approach. What they don’t understand is that these laws are trying to just convey the common sense that they need to protect sensitive data for which they are custodians. So rather than say “Hey, this is common sense. Maybe we should just consider it or set it as a goal,” they wait for the pain and then react.

At some point, these laws are going to have to adapt and change. The reality is that they are ineffective at incenting companies to stop breaches from occurring. They need to mature as HIPAA has recently, and do things like open the gates for class action lawsuits, call for audits around the laws, and ultimately mandate prevention of breaches (go figure). If only I had a $1 for every time a client asked me “So what are the fines?” Unfortunately money makes the world go round, and from a business risk perspective, there isn’t a whole lot of money at stake with these simple disclosure laws.

If I were the CISO at your organization, my approach would be straightforward. First identify all your sensitive data and where it resides. Then look at an enterprise approach to encrypt that data throughout its lifecycle - and that does mean you need strong key management too. What you end up with is confidential data that has been desensitized on all your systems. So, if some system breach should occur, it really isn’t a breach of data and hence disclosure laws won’t apply. We do this all the time with PCI cardholder data and we do it with laptops and full disk encryption. So why aren’t you doing it elsewhere? Do you need a breach first? No problem. SecureState has a fantastic forensics practice available for you.


Alex Hamerstone said...

Without injecting politics, what do you think the chances are that the new administration will clear the way for class action suits based on disclosure?

Matt Davis said...

Given that they recently opened up HIPAA to allow for civil suits, I'd expect that it is certainly possible. But keep in mind that is more likely at a federal level then state level and there are more of these laws at the state level.