The Green Sheet Online Edition

June 27, 2011 • Issue 11:06:02

Deciphering breach notification regulations

By Tim Cranny
Panoptic Security Inc.

When most people think about security, Payment Card Industry Data Security Standard compliance and breach prevention typically come to mind. But just as important, knowing what to do after a breach occurs can make or break a company. In this article, I will focus on breach notification and address the critical questions of how, when and why, as well as what to tell your customers, partners and others who might be impacted by a breach.

An unavoidably messy issue, breaches involve the law, politics, psychology and customer perception issues, which can be difficult to measure or pin down, but the topic is especially timely. Recently, we've seen a series of major breaches (some of which were badly mishandled) and the White House just released a breach notification proposal to create a consistent national framework for how businesses must notify customers and others affected by a breach.

Four key points about breaches

When considering a breach notification plan, it's important to understand:

1. It can happen to you. Investing time and money on security is a business necessity. But while preventive action can make you safer, it won't make you invulnerable. You also need to have a plan in place should anything go wrong and a breach occurs.

2. You must follow the law. You don't have complete freedom in determining your response to a breach. A multitude of state and national laws specify what you must do and when. In particular, the laws prevent you from sweeping the problem under the rug by making an obscure announcement that nobody will read. Most breach notification laws specify that you must contact affected individuals directly via mail or phone, with exact wording, and within a specified time.

   Many such laws also state when you must take public action, like placing notices in newspapers and on your website. State laws typically apply to customers affected in that state, so it's likely you would have to concern yourself with individual state laws in addition to laws from your own state. The federal government is moving toward a single national notification rule, but that will take time to be constructed and implemented.

3. Monetary costs can be enormous. The financial costs of a security breach extend far beyond formal fines imposed by law. Breach notification laws often include explicit per diem dollar amounts (for example, the proposed federal law includes the option of penalties of $1,000 per day per record stolen, with a ceiling of $1 million if the incident was not willful or intentional).

   However, breaches inevitably bring a range of additional expenses, like the costs of offering victims free credit monitoring; recovery of electronic records; and dealing with the support, communication and legal issues that enter into play. Analysis of previous real-world breaches shows these additional costs are unavoidable and often end up being far greater than the explicit fines or penalties defined by legislation.

4. Nonmonetary costs can be significant. Breaches regularly cause massive disruption to a company, both in terms of the time and distraction to management and staff, and the damage done to the company's brand and reputation. It can take years (if ever) to recover from a breach, and while the statistics are blurry, a significant percentage of companies that suffer a security breach don't survive the experience.

Quick analysis of the federal proposal

Now let's review the White House legislative proposal in a little more detail. First, in its current form (which will likely change after this publication goes to press), the proposal is light on details; many such critical details will emerge either during the drafting of the bill or even later as the Federal Trade Commission creates implementation rules.

Second, there is extensive discussion occurring among experts about whether the definition of "breach" is accurate. The proposal says that a breach is any theft, compromise or misuse of "sensitive personally identifiable information," which means any of the following:

• An individual's first and last name or first initial and last name in combination with any two of the following data elements: home address or telephone number; mother's maiden name; month, day, and year of birth; or

• A nontruncated Social Security number, driver's license number, passport number, alien registration number or other government-issued unique identification number; or

• Unique biometric data such as a fingerprint, voice print, a retinal or iris image, or any other unique physical representation; or

• A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; or

• Any combination of the following data elements:
  • An individual's first and last name or first initial and last name; or

  • A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; or

  • Any security code, access code, password, or source code that could be used to generate such codes or passwords

A number of experts feel that the above definition is too narrow (and it isn't hard to think of information that you as a customer wouldn't want stolen, but which wouldn't trigger a breach notification according to the above definition).

Third, the proposal is fairly narrow in scope and would only apply to businesses with the designated types of information on 10,000 or more individuals in any 12-month period.

Fourth, the proposed law would supersede the multitude of state laws out there, giving organizations a single target to worry about.

Safe harbor directives

In addition, the federal proposal describes several "safe harbor" provisions, which essentially say you escape the worst obligations of breach notification if you meet certain circumstances. The main safe harbor situation is one where the records have been encrypted and therefore cannot readily be accessed by a thief, and the company has comprehensive logging in place to track what happened and when.

In this situation the company must still base its decision on a formal risk assessment and notify the FTC, but they're not required to send notification directly to affected customers.

Furthermore, financial institutions that have only had credit card numbers (that is, no names, etc.) exposed also have a special safe harbor. They are exempt from the consumer notification requirements as long as they have a security program that does two things:

1. Stops an attacker from using the stolen information to initiate unauthorized financial transactions before they are charged to the account of the individual

2. Provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions

While the details are still being worked out, every company needs to recognize that breaches are a genuine risk. How they are handled can mean the difference between life and death for businesses affected. The rules are tightening, and failure to handle the situation carefully is becoming increasingly dangerous for businesses, both legally and financially.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599 3454.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.