I admire your honest, hard work in this area! I have a point of view that is different from yours, and I’ll express some of it here. But as I do so I admit that I don’t know everything, and I do not claim my judgment is flawless.

My feeling is that these breach notices and announcements have little if any practical effect in the battle against identity theft. They are an exercise in politics. On the whole, they are just noise. And thus, we have companies like Anheuser-Busch giving notice in New Hampshire about encrypted data on a stolen laptop, even though New Hampshire law does not require notice if data are encrypted. http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/encrypted-perso.html

If firms must give notice about encrypted data, then every firm should transmit multiple notices to all its consumers & constituents every day. That would be ridiculous.

My feeling is that the breach-notice/announcement noise distracts and confuses the public. A premise behind notices & announcements is that a consumer should be on special alert (take special precautions, monitor her credit report more carefully and so on) when her data are the subject of a notice or announcement. I believe that premise is wrong . . . and harmful for two reasons:

1. All personally identifiable data have been exposed numerous times and are at serious risk of further exposure, virtually all the time. A consumer’s data reside in innumerable records scattered all over the globe. The number of ways for bad guys to access that data are infinite. Modern information technology, viewed as a whole global system, is incapable of effectively preventing bad guys from accessing the data. The technology for system-wide access denial does not exist. Therefore: the well-informed consumer must operate on the assumption that all of her data are exposed all the time. She should be on red alert for identity theft every, single day.

2. The fact that a given consumer has received no notice of breach, and can find no public announcement of breach by someone she does business with, is meaningless to her. The fact that a consumer has heard nothing about a breach should give her absolutely zero comfort. She should be on utter red alert for identity theft every day. Thus, her receipt of a notice about a breach should change nothing for her. The notice is just noise.

I argue we need different thinking about identity theft. http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

I’d be honored to hear more of what you think, Aaron.

–Ben

I will make two initial observations about the effect of breach notification laws on organizations: 1. Breach notification laws do not appear to have embarassed organizations into being careful. 2. My personal experience tells me that breaches are under-reported (ie, many are never reported).

On victims, you are correct to point out that breach notifications are not very effective at empowering victims for a few of reasons: 1. Most people never hear about the breach because they miss the press release. 2. Even if they hear about the breach, they may not self-identify as a victim. 3. Even if they hear about the breach and self-identify themselves as a victim, they won’t get the whole story because the press release was issued by the organization with the most incentive to hide or skew the facts. 4. They do not accurately describe the actual risk of any given breach.

That’s why I created ssnbreach.org. There, I document individual “Identity Exposure Reports” (here is an example IXR). Here are the purposes: 1. I write a press release explaining exactly what happened, what pieces of information were exposed (the database does not contain sensitive personal information), how it happened, when, who is responsible, and how to contact the responsible person. 2. Individuals can effectively self-identify. 3. They get the whole story and are able to measure their own subjective risks. For example, for most people, a breach of an address is not a big deal and is not covered by any breach notification laws. However, a breach of an address is important for someone with an abusive boyfriend to know whether her address has been breached.

I have also developed four rough indicators of breach severity: Sensitivity, Duration, Distribution, and Size. For example, a backup tape with SSNs, DOBs, and creditcard numbers which was lost in the mail, and then found on a mail truck the following week may have the following severity indicators:
Sensitivity: Extreme (ie, the information breached is objectively sensitive)
Duration: Less than One Week
Distribution: No Known Access
Size: 1.2 Million Records

So in this case we have a breach of massive proportion and extremely sensitive data, but the objective risks of actual harm are very low because the duration and distribution factors mitigate the potential for loss. From an individual’s standpoint, the size of the breach doesn’t really matter in determining personal risk, but may have legal consequenses (and make for better headlines).

Though there are many additional ways to sub-categorize breaches, I have found that this way is efficient and understandable, and would solve many of the problems with notifications in general. What do you think?