I read a story from yesterday's Computerworld, "Breach notification laws: When should companies tell all? Privacy experts, lawyers differ on whether more laws would help" with great interest, concern, and puzzlement at a point.  I realize that sometimes reporters twist words and put quotes into a different context to make the story more interesting.  However, there is one quote I want to pull from the article.

• "“Breaches should not be tied to the potential criminal use of the information,” said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. “I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.”"

Does this logic apply to someone stealing my credit card also?  So, if someone takes my credit card, should the credit card company wait until the intent of the criminal has been identified before cancelling my card?  The main difference is that my stolen credit card is a small-scale incident; it impacts only me.  So, if the incident involves stealing thousands or millions of credit cards in a database then the intent of the criminal must first be determined?

Of course you cannot know the intent of criminals before they commit crimes.  But when computer breaches occur, the potential impact must be examined.  If someone purposefully broke into a system, it is likely they did not do it to debug  the application code or to apply a more recent security patch.  Computer crime is growing.  Many studies, such as the CERT/Secret Service Insider Threat Study, show that there is growing criminal intent involved with computer-related incidents. 

So...unless there is irrefutable evidence that someone has mucked around with and fraudulently used all the personal information that has been stolen, or found on lost storage media, or inappropriately accessed by fraudsters, we should not worry about the potential for criminal use of information that is lost, stolen, or misused by those with access to it?  I guess in the CardSystems Solutions incident last year where a network intruder stole information on 40 million people, "and according to the FTC, the security breach resulted in millions of dollars in fraudulent purchases" wasn't anything to worry about until the fraud occurred?  I'm sure all the people who are now dealing with identity theft, identity fraud and ruined credit histories got warm fuzzies reading his opinion.

• "Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath."

While it would take some examination of the breach notification laws involved, I generally agree with this statement.  Encryption is one of the most effective security tools available to protect the confidentiality of and access to data.  New encryption solutions have made it easier to use and manage, and more economical, than ever before.  If strong encryption is used (and this could be part of the regulatory verbiage and easily verified by organizations when breaches occur), then why would notification, or the same level or type, of notification, be necessary? 

I agree that over-notifications should be avoided, but that comes from crafting thoughtful laws and identifying what those key notification triggers should be.  Over-notification definitely could have a negative impact.  But let's get some information security and privacy experts speaking with the lawmakers to help them understand the issues and write good legislation.

There is so much more to discuss about this...

Technorati Tags
breach notification
encryption
privacy
computer crime
breach regulation