Schneier on Security
A blog covering security and security technology.
« Police Helping Thieves |
| Bank Vault Plans Found in Trash »
December 12, 2007
Security-Breach Notification Laws
Interesting study on the effects of security-breach notification laws in the U.S.:
This study surveys the literature on changes in the information security world and significantly expands upon it with qualitative data from seven in-depth discussions with information security officers. These interviews focused on the most important factors driving security investment at their organizations and how security breach notification laws fit into that list. Often missing from the debate is that, regardless of the risk of identity theft and alleged consumer apathy towards notices, the simple fact of having to publicly notify causes organizations to implement stronger security standards that protect personal information.
The interviews showed that security breaches drive information exchange among security professionals, causing them to engage in discussions about information security issues that may arise at their and others' organizations. For example, we found that some CSOs summarize news reports from breaches at other organizations and circulate them to staff with "lessons learned" from each incident. In some cases, organizations have a "that could have been us" moment, and patch systems with similar vulnerabilities to the entity that had a breach.
Breach notification laws have significantly contributed to heightened awareness of the importance of information security throughout all levels of a business organization and to development of a level of cooperation among different departments within an organization hat resulted from the need to monitor data access for the purposes of detecting, investigating, and reporting breaches. CSOs reported that breach notification duties empowered them to implement new access controls, auditing measures, and encryption. Aside from the organization's own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness.
Posted on December 12, 2007 at 1:53 PM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Aside from the organization's own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness."
I can anecdotally confirm this to be true. "We need to change the way we do business, because what we're doing is crazily insecure" may fall upon deaf ears. "We need to change the way we do business, because we do things the way [this company in the news] does business, and we're going to be in the news any day now" has more presence to it.
It is indeed good to see people (atleast CSOs) becoming aware of security.
"...the simple fact of having to publicly notify auses organizations..."
auses == typo? It looks like it should be "causes".
It is a pitty that again a law has to come up for that. If companies played open cards, all others could learn from their lessons and in return exchange how they may have been hacked in the past.
How else was it going to happen. The free market works well in theroy. The reality is that there are many externalities that must be made internal via law. This is not new, pollution (emission limits etc) and other things have always been like this. Without laws there is no incentive fix the problem.
The free market does not work in the case of many info security disciplines, especially privacy, because without the law artificially changing it, the cost of PII breaches are an externality to the negligent companies who allow them.
I don't necessarily believe that security and privacy won't work in a free-market model.
It would just take time for consumers to change their shopping habits. In theory, consumers would begin choosing more carefully where they shop and where they put their data. Businesses then, as a competitive advantage, would take better care of PII in order to bring in the shoppers.
Regulations help expedite the process of business' taking better care of data, but it also dampens consumers from changing their habits.
You're missing the point that much of one's personal information is out of one's control. I'd sure like you to explain which habits I, as a consumer, can change so that my personal information remains under my control. Unless I pay cash for everything, I can't see how this is at all possible.
You got it. Use cash, and whenever possible, don't give your business to companies that don't protect data. For example, don't shop at TJ Max. You can also organize demonstrations, send letters to CEOs, get your local consumer advocate to make a stink on TV or radio, create a web site, ...
The free market works, but only when people make it work. Sadly, many people are not willing to do that.
"Regulations help expedite the process of business' taking better care of data, but it also dampens consumers from changing their habits."
Regulations dampen businesses from changing their habits as well. The elephant in the room, with respect to identity theft, is how trivially easy it is to commit, i.e. businesses want payments to be easy, so they use identity validation tools and techniques that are obviously outmoded.
The free market alone will not work in this context because without the notification laws consumers will never know that their data has been compromised. They will not have the information necessary to determine that a certain company is untrustworthy. Therefore no market forces will come to bear.
Here is an excellent example of a very recent breach with a fairly quick notification:
Seems like the right thing to do.
However, there are limits to the amount of information that should be given out. Here is an example of a questionable request for breach data:
This sort of law is very helpful in generating awareness by disclosing information about breach events. The study Mr. Schneier posted is clear about notification law benefits. But the laws need to be explicit as to what data needs to be provided -- both too little and too much can be potentially counterproductive.
Even with notification laws, there is no practical way for consumers to know how carefully a company is protecting their personal data -- or even whether the company is reselling that data to potential attackers such as spammers.
The only people likely ever to know the answer to that question are employees of the company, and they are usually covered by nondisclosure agreements.
As much as I hate the heavy hand of regulation, I can't think of a good alternative, unless it is having some watchdog NGO such as Consumer Reports start attempting "tiger team" attacks on company databases to discover just how secure each one is.
As Judge Posner suggested in with the New York City trans-fat ban, laws like this may correct for informational and transaction costs that prevent people from making the rational decisions they would if they were fully informed and it was worth the effort to make a fully rational decision.
@Kevin: It's hard to have an efficient outcome if I don't have the ability to restrict access to my PII. If, say, had a property right in my SSN, things would be much better. Still, assignment of rights (albeit not property rights) gets us part of the way there.
CP & T-
It hardly seems worth pointing out how monumentally impractical the suggestion to "just pay cash" really is. One who chooses that route can kiss goodbye any dreams of owning a house and possibly a car. And perhaps of having a job too since you're required to disclose SS# and other personal information, which potentially gets transmitted to payroll services. There are just too many instances in which submitting personal information is a requirement for completing basic transactions.
On page 9 line 12 it says: "The statute exempts from notification any unauthorized acquisition where the personal information has been encrypted".
1) Where does rot13 end and encryption start? ;)
2) What happens if first encrypted data is lost and subsequently encryption keys are lost?
I agree with after-breach notification laws, since public embarassment is something most entities will work hard to avoid.
However, on a similar note, I tend to be against requirements for certain organizations to publicly disclose external or peer audit results. Such requirements are based on an optimistic assumption: "they will fix problems if they know they will become public." Actually, fear of public embarrassment (and loss of customer/public confidence) undermines this. I've seen it several times. The goal no longer is to identify and fix existing problems. The goal is to get a clean opinion. So they hire reviewers who are either incompetent or know that their rehiring depends on clean opinions.
To distinguish, I'm saying that after a breach, people need to know. Yet, before a breach, the goals should be to identify and improve--and that is undermined when identify=publicity. If they are required to get an external/peer review, there should be every incentive to have a good one.
I know there is a risk that they will never fix problems they don't publish--but that is no worse then never fixing problems they never identify. Perhaps there could be a requirement that recurring problems must be published. In any case, any entity that doesn't fix known problems is just begging for a breach.
Anyways, that is my experience, and my two cents. Anyone else have other beneficial experience regarding notification?
John W., CIA, CISA
Actually breach notification laws (among other things) were recommended by the House of Lords over this last summer.
I agree with you that it is a shame that they are being resisted, but let's be fair. Companies don't want to face the costs that notification can generate, so they resist. Eventually though, the laws are needed to drive the cost of the loss back to the company so when they are trying to do cost - risk assessments of their controls they consider the (otherwise external) cost of the loss.
I agree with Brian S. Breach notification laws are necessary so the cost of breaches are not an externality to the company.
I still believe that, coupled with breach notification, not requiring external/peer review opinions to be published would be a benefit (unless exposures have been recurring). The reason is we do not want companies to be afraid of exposing weaknesses so they can fix them, instead of hiding them to avoid publishing.
An analogy is something we have in my home state called "reportable infectious medical conditions." Here, if someone finds out they have certain STDs, they are required to make sure everyone they had been with is notified. It is nice in theory. Instead, people are not being tested so they avoid embarassment--and put everyone else at risk. Similar to peer/external reviews--people are going out of their way to get a clean opinion, rather than at identifying problems to fix.
John W. CIA, CISA
@ John W
I think you're right. People have the right to know if their data is disclosed, but before that companies should want to uncover weaknesses to prevent disclosure rather than to embarrass themselves. If we make them embarass themsleves, they'll just hope for the best. (prospect theory at work)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.