Comments on: In Defense of Breach Notification Laws (sort of)

By: Because I am Here » Blog Archive » Stimulus Package Federalizes Health Information Breach Notifications

Fri, 06 Mar 2009 14:49:30 +0000

[...] one almost seven years ago. But since that time, they have displayed several shortcomings, which I critique here. Instead of fixing these problems, ARRA will exacerbate many of [...]

By: Because I am Here » Blog Archive » The Top 5 Reasons You Won’t Hear About a Breach

Mon, 02 Feb 2009 15:12:03 +0000

[...] have suggested solutions to some of these problems here and with the creation of National ID [...]

By: The Top 5 Reasons You Won’t Hear About a Breach : The Security Catalyst

The Top 5 Reasons You Won’t Hear About a Breach : The Security Catalyst — Fri, 23 Jan 2009 12:21:47 +0000

[...] have suggested solutions to some of these problems here and with the creation of National ID [...]

By: Because I am Here » Blog Archive » In Defense of Breach Notification Laws (sort of)

Sat, 17 Jan 2009 19:59:39 +0000

[...] Note: This article was originally published on the Security Catalyst Blog. [...]

By: aaron.titus

aaron.titus — Thu, 18 Dec 2008 20:11:24 +0000

Ben,
I agree with the substance of each of your statements. Specific notices should be bluntly accurate (which is the premise of National ID Watch). All individuals should be on red alert for identity theft at all times; but we should also eat less and exercise more… and we don’t do that, either. Breach Notifications (as currently required by law) are only marginally effective, and should be improved. I like the idea of funding public announcements, and I believe that the cost should be borne by the breaching entities.

The question is, in my mind, “How do we fix a broken system?” I tend to take a glass-half-full approach, and view BNLs as an incomplete but necessary first step in the effort to reduce identity theft, increase accountability, improve consumer and organizational behavior, increase awareness, and increase consumer rights. The next step is, exactly as you suggest, to require bluntly accurate breach notifications, in accordance with the principles in this article.

And in addition to notification, there are also other intended/unintended benefits to BNLs.

By: benjaminwright

benjaminwright — Thu, 18 Dec 2008 19:30:25 +0000

And, I argue a correct notice should say, "The only information in this notice that is of any value to you is this: All individuals should be on absolute red alert for identity theft at all times, regardless of whether they do or do not receive a notice like this." -Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html

By: benjaminwright

benjaminwright — Thu, 18 Dec 2008 19:06:16 +0000

Aaron: You present a thoughtful argument. Still, you concede that “none of the announcements may put any particular individual on notice of a personal risk”. And you argue that the justification for mailing notices to consumers is merely that “notifications build [general] public awareness”.

I argue that any specific notices mailed to consumers should be bluntly accurate; otherwise they are misleading.

Let’s suppose that your rationale for sending notices to consumers is correct. I would then I argue that notification laws should be changed so that each specific notice mailed to a consumer start like this: “This is a general public service announcement mandated by the legislature. The purpose of the specific information provided below is not to tell you anything of any practical value to you. In fact, you are better off to just ignore it and not read it. For all practical purposes applicable to you as an individual, the information provided below is meaningless. . . . ”

I argue that if legislature’s purpose is general public awareness, then it should pursue that purpose directly (with public service announcements, seminars etc.), and stop requiring the delivery of confusing notices to individuals. -Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/09/legal-liability-for-data-security-breach.html