Selective Notification
Posted by Aaron Titus on October 23, 2008 · 4 Comments 
Print This Post
As the Privacy Director for the Liberty Coalition, I have discovered and documented roughly 100 breaches on our website, SSNBreach.org. There, any member of the public can search for his or her name to find out whether their personal information was exposed, under what conditions, and who’s responsible. The vast majority of these breaches are unintentional. Except breaches by criminal ID theft rings, most breaches are due to ignorance, recklessness or plain stupidity, but not maliciousness.
Inside the Breach
I recently announced such a breach by East Burke High School in the small North Carolina town of Connelly Springs. In short, a staff member had placed personal information online for more than five years. The victims included 163 teachers, bus drivers, custodians, and others who worked at East Burke High School in 2003. The information exposed included names, social security numbers, addresses, phone numbers, job titles, e-mail addresses, and a few unlisted phone numbers.
I notified the school, which removed the file within 20 minutes, and also worked to clear search engine caches. I then worked directly with the Superintendent, David Burleson, who asked for my help drafting a letter to victims, which I was happy to do. As I drafted the letter I put factual assumptions in [brackets], and for the sake of expediency omitted some of the instructions, replacing them with asterisks. I handed him the letter and said told him to review it for factual accuracy and run it by his legal counsel. In addition to the brackets and asterisks, my draft of the letter committed the school district to do five things, including contracting with an identity theft protection company to provide free credit protection services to victims.
Days after I sent the letter to the school district, the Hickory Record ran a copy of the letter as sent by the school district, and I had to chuckle when I saw all of my brackets and asterisks still in the final copy. For example, “As of now, [we don't have any evidence that anyone with bad intentions has seen your personal information].” I also wanted their general counsel to confirm whether North Carolina allowed for credit freezes. The final copy encourages victims to get a credit freeze, with a note to the general counsel: “[Note: Not all states allow a credit freeze].” And this omission for sake of expediency, “visit www.ftc.gov, and click on “***” for more information.” The Hickory Record has since done some copy editing on behalf of the school district, and edited out the brackets.
Therefore, What?
Now in their defense, I’ve got to give the school district credit for making a good faith effort to notify their employees of the breach. And I can’t be too critical of their failure to edit the letter, especially in a small school district with limited resources.
On the other hand, it turns out they did edit the letter. The school district conveniently removed the promise to provide identity theft protection services to victims. This selective editing is symptomatic of systemic problems with protecting consumer privacy:
- The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. This means that there is a strong financial incentive to do as little as possible to prevent, announce, or clean up a breach. The result is victims often don’t get all of the facts or protections they need.
- The fox is guarding the hen house. A cruel irony of data breaches is that the responsible organization has a strong incentive to hide or skew the details. Many breaches are under-reported or unreported, regardless of applicable law. With very few exceptions, even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark.
- Privacy Naivety. If you have ever asked customer service, “does your organization ever share my personal information with other organizations,” the answer is always (and incorrectly) “no.” Unfortunately, consumers incorrectly assume that laws and privacy policies protect their personal information. Employees incorrectly assume that their privacy practices are sound, while company policies often amount to little more than a privacy waiver. An environment of naivety breeds carelessness and increases the risk of breaches.
Consumers should always read breach announcements with a skeptical eye, and press the breaching organization for as much detail as possible.
Aaron Titus is a regular contributor to the Security Catalyst. As the Information Privacy Director for the Liberty Coalition, Aaron developed National ID Watch and directs the Privacy Commons project. He graduated from the George Washington University Law School specializing in Information Privacy Law, and works at the law firm of J.C. Neu and Associates. You can follow Aaron on Twitter, @aarontitus, or subscribe to this blog. Aaron is a proud husband and father of four adorable children.
Aaron: Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach notices, many of which are insignificant. –Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
Ben: I think you’re right, but that there are two issues here. I think that breach notifications serve at least two purposes. The first is to (hopefully) embarass organizations into not making breaches. The second is to empower victims of breaches. Breach notifications are woefully deficient on both accounts.
I will make two initial observations about the effect of breach notification laws on organizations: 1. Breach notification laws do not appear to have embarassed organizations into being careful. 2. My personal experience tells me that breaches are under-reported (ie, many are never reported).
On victims, you are correct to point out that breach notifications are not very effective at empowering victims for a few of reasons: 1. Most people never hear about the breach because they miss the press release. 2. Even if they hear about the breach, they may not self-identify as a victim. 3. Even if they hear about the breach and self-identify themselves as a victim, they won’t get the whole story because the press release was issued by the organization with the most incentive to hide or skew the facts. 4. They do not accurately describe the actual risk of any given breach.
That’s why I created ssnbreach.org. There, I document individual “Identity Exposure Reports” (here is an example IXR). Here are the purposes: 1. I write a press release explaining exactly what happened, what pieces of information were exposed (the database does not contain sensitive personal information), how it happened, when, who is responsible, and how to contact the responsible person. 2. Individuals can effectively self-identify. 3. They get the whole story and are able to measure their own subjective risks. For example, for most people, a breach of an address is not a big deal and is not covered by any breach notification laws. However, a breach of an address is important for someone with an abusive boyfriend to know whether her address has been breached.
I have also developed four rough indicators of breach severity: Sensitivity, Duration, Distribution, and Size. For example, a backup tape with SSNs, DOBs, and creditcard numbers which was lost in the mail, and then found on a mail truck the following week may have the following severity indicators:
Sensitivity: Extreme (ie, the information breached is objectively sensitive)
Duration: Less than One Week
Distribution: No Known Access
Size: 1.2 Million Records
So in this case we have a breach of massive proportion and extremely sensitive data, but the objective risks of actual harm are very low because the duration and distribution factors mitigate the potential for loss. From an individual’s standpoint, the size of the breach doesn’t really matter in determining personal risk, but may have legal consequenses (and make for better headlines).
Though there are many additional ways to sub-categorize breaches, I have found that this way is efficient and understandable, and would solve many of the problems with notifications in general. What do you think?
Aaron:
I admire your honest, hard work in this area! I have a point of view that is different from yours, and I’ll express some of it here. But as I do so I admit that I don’t know everything, and I do not claim my judgment is flawless.
My feeling is that these breach notices and announcements have little if any practical effect in the battle against identity theft. They are an exercise in politics. On the whole, they are just noise. And thus, we have companies like Anheuser-Busch giving notice in New Hampshire about encrypted data on a stolen laptop, even though New Hampshire law does not require notice if data are encrypted. http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/encrypted-perso.html
If firms must give notice about encrypted data, then every firm should transmit multiple notices to all its consumers & constituents every day. That would be ridiculous.
My feeling is that the breach-notice/announcement noise distracts and confuses the public. A premise behind notices & announcements is that a consumer should be on special alert (take special precautions, monitor her credit report more carefully and so on) when her data are the subject of a notice or announcement. I believe that premise is wrong . . . and harmful for two reasons:
1. All personally identifiable data have been exposed numerous times and are at serious risk of further exposure, virtually all the time. A consumer’s data reside in innumerable records scattered all over the globe. The number of ways for bad guys to access that data are infinite. Modern information technology, viewed as a whole global system, is incapable of effectively preventing bad guys from accessing the data. The technology for system-wide access denial does not exist. Therefore: the well-informed consumer must operate on the assumption that all of her data are exposed all the time. She should be on red alert for identity theft every, single day.
2. The fact that a given consumer has received no notice of breach, and can find no public announcement of breach by someone she does business with, is meaningless to her. The fact that a consumer has heard nothing about a breach should give her absolutely zero comfort. She should be on utter red alert for identity theft every day. Thus, her receipt of a notice about a breach should change nothing for her. The notice is just noise.
I argue we need different thinking about identity theft. http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
I’d be honored to hear more of what you think, Aaron.
–Ben