Schneier on Security
A blog covering security and security technology.
« Risks of Cell Phones on Airplanes |
| More on "Encryption As Evidence of Criminal Intent" »
June 8, 2005
Public Disclosure of Personal Data Loss
Citigroup announced that it lost personal data on 3.9 million people. The data was on a set of backup tapes that were sent by UPS (a package delivery service) from point A and never arrived at point B.
This is a huge data loss, and even though it is unlikely that any bad guys got their hands on the data, it will have profound effects on the security of all our personal data.
It might seem that there has been an epidemic of personal-data losses recently, but that's an illusion. What we're seeing are the effects of a California law that requires companies to disclose losses of thefts of personal data. It's always been happening, only now companies have to go public with it.
As a security expert, I like the California law for three reasons. One, data on actual intrusions is useful for research. Two, alerting individuals whose data is lost or stolen is a good idea. And three, increased public scrutiny leads companies to spend more effort protecting personal data.
Think of it as public shaming. Companies will spend money to avoid the PR cost of public shaming. Hence, security improves.
This works, but there's an attenuation effect going on. As more of these events occur, the press is less likely to report them. When there's less noise in the press, there's less public shaming. And when there's less public shaming, the amount of money companies are willing to spend to avoid it goes down.
This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won't be reported.
The notification of individuals also has an attenuation effect. I know people in California who have a dozen notices about the loss of their personal data. When no identity theft follows, people start believing that it isn't really a problem. (In the large, they're right. Most data losses don't result in identity theft. But that doesn't mean that it's not a problem.)
Public disclosure is good. But it's not enough.
Posted on June 8, 2005 at 4:45 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Not really related.
I just had to fill out a visa application for a trip to Ukraine.
I had to give my SSN, place, and date of birth as well as my present residence and passport number, and a passport photo.
If someone in the Consulate (or, one supposes, anywhere in the system) wants to get identities for fraudlulent purposes, this is a great place to look.
One wonders what sorts of protection they have for the information.
Wow, they do indeed ask for SSN. Well, blatantly lie about it. Make one up taking http://www.ssa.gov/foia/stateweb.html into consideration. Do you really think they spend the 100$ application fee for PI investigators?
So far I've only seen announcements in the media that involve the loss of some physical item (tape, printouts, etc.).
"California law that requires companies to disclose losses of thefts of personal data"
I'm not familiar with the law; how does it "encourage" companies to notice, record & report the leakage of data?
If they want to check, I'm sure unofficial lists of SSNs are available much more cheaply. If that doesn't match, then they spend the $100. And you potentially end up seeing the inside of a Ukranian jail, on immigration charges.
"Public disclosure is good. But it's not enough."
What would be enough? A statutory payment to each person whose data is disclosed? What amount? $5? $100? Or an amount dependent on the kind of data disclosed (more for SSN, less for postal address)?
Of course, both public shaming and payments to victims will encourage companies to define "data loss" as narrowly as they can get away with.
"when either the name or the data elements are not encrypted"
So basically all a person/business/agency needs to do is to "encrypt" it somehow and the notification requirement goes away?
Does rot13 suffice?
Why'd anyone bother at all if all they have to do is send some notifications to people's addresses from their already broken databases and be done? I'm sure they can do all that notification printing automatically with a button push. If they had to pay say $4000 (instead of just a stamp) for each person's lost information that might actually help.
"This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won't be reported."
Maybe it's me, but shouldn't news that affects more people be prioritized over news that affects a much smaller number of people.
After all, how many people does the Michael Jackson case really affect? Or any tabloid sensationalist story anyhow?
I don't think I'm as cynical as Schneier in this case, but I can't imagine an issue that affects the lives of 50,000 people go unnoticed.
One thing to watch is whether the standard for disclosure, not in terms of number of people affected, but in terms of probability of actual revelation of PII to bad guys, changes.
Right now, it seems as though entities which report are doing so even if the likelihood of revelation is very small. I wonder if this will change. I've had discussions with incident response folks who are trying to develop insitutional policy in this area, and the big question seems to be "how sure do I need to be that PII was taken, and recognized as such"?
Perhaps someone should talk about these multiple breaches (plus their ramifications) as a whole and what they might mean about certain parties. It is possible that people could be made more aware of privacy issues.
Incidentally, a group called the Privacy Rights Clearinghouse has a list of privacy breaches that have happened since the incident with the ChoicePoint service.
"Does rot13 suffice?"
Good question. I have met with many developers over the past few years who wonder if they can slyly evade the legislation by using the weakest encryption available. I have even heard some specious arguments from execs about ASCII as a primitive form of "encryption".
California Assembly Bill 1950, which went into effect January 1, 2005, gives much better guidance in this regard as it requires a businesses to "implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access,
destruction, use, modification, or disclosure."
"Reasonable" is a legal term but, more to the point, anyone would probably agree that rot13 does not qualify as reasonable protection for sensitive data.
"Public disclosure is good. But it's not enough."
At least California had the foresight to pass the breach law. And now they AB1950 goes a big step further by requiring proactive measures to help prevent breaches.
I still can not believe that the US federal government actually tried to prevent California from protecting its citizens rights to privacy.
One US Senator that led the fight for FCRA reauthorization (and against CA privacy laws) is Senator Shelby (R-AL), who claimed in one of his more famous statements, "from a consumer perspective, there is no difference between a company sharing information internally between departments and sharing between affiliates."
The outrage regarding the ChoicePoint "breach" must have really taken Shelby by surprise the following year since ChoicePoint was selling identity data to an affiliate, who just also happened to be a crook.
What's really ironic is that Shelby proposed legislation in 2001 to make the sale and purchase of Social Security Numbers illegal:
"I do not know anyone in this country who believes financial institutions should be making money by trafficking in our Social Security numbers.The longer we wait to act on this issue-an issue supported by a vast majority of Americans-the more the American people lose confidence in the U.S. Congress and our ability to lead."
And he amended the Drivers Privacy Protection Act in 1999 to prevent the DMV from releasing records for marketing purposes without driver consent.
And finally he even claimed to help pass legislation in 2003 for Georgians to get free copies of credit reports to check for errors...https://www.annualcreditreport.com/
But now I have to wonder if the intent of his efforts was to help citizens clear their name or to financial companies and credit agencies who need to improve the integrity of the data, and therefore their value. Here is an interesting case of how a credit company can evade complying with the law:
Again, I think America can thank California Senators Feinstein and Boxer for persevering against the current Administration and standing for "the principle that consumers should have the right to decide when, how and to whom their personal information is shared."
"Companies will spend money to avoid the PR cost of public shaming."
SB1386 not only presents some risk of embarassment, but it also provides a very powerful lever that can be used to engage other regulations that carry steep financial penalties. For example, the Payment Card Industry data security standards state that companies can be fined up to $500,000 for a breach:
"Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP-compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP-compliant at the time of the incident."
Failure to immediately notify Visa of a breach carries a $100,000 fine per incident.
In addition, some banks have already threatened to sue and/or charge merchants for negligence, and to pay for all the cards to be reissued after a breach disclosure. At $50 per cardholder, this alone can present a sizeable incentive to companies to enhance security of cardholder (personal identity) information.
Huh. Hopefully do these companies spend more effort protecting their clients and customers data. And I think almost everyone here agrees in your assessment of the California law - I'd like to see this in Germany, too.
Finally, a reported loss of data that includes me! I felt so left out for so long, and now my time has come. It's good to feel included. Thanks, UPS and Citibank.
I think that the real determinite factor as to whether the "loss" (more like gross misplacement) of the data makes the news has a lot to do with the size of the media market you are talking about. If the loss is by a local company and only affects local people then the local media outlet is going to jump on it. If the loss is by a national company OR one which affects the data of people from all over the country then the local media outlets rightly expect the national outlets to cover the issue. The problem then is the size of the target audience and the apparent importance of the issue in the eyes of the public. That is the unfortunate reason that the Jackson Trial has become such a news spectacle--large audience.
So based on this logic, the question becomes "Is my target audience large enough to warrant airtime for this?" and not "Is this newsworthy?"
Hopefully this apparently-recent (though, who knows how long this sort of thing has been happening unreported in the past) rash of personal data leaks will result in steps being taken to ensure that companies who deal in such data take the appropriate measures to secure and protect that data.
Much as I don't trust lawmakers to get technical details straight, *some* well-informed authority should create standards for the protection of such data and perform reviews/inspections of companies wishing to deal in personal data to ensure that they *do* either comply or be unable to legally disclose the data in any way.
Well, that would be nice, though I admit I don't have much faith in our country's ability to assemble such a body without ending up with another power-mad department like the TSA or DHS making a bad thing worse and telling us it's better.
What's interesting about this one is that it means that companies simply can't delegate any more. While I do think companies are responsible for third parties who handle their data, knowing that you can't even trust the mails makes things very difficult for them. Backup tapes should be encrypted, yes, but there are many situations where electronic data usually isn't encrypted -- desktop workstation hard disks, for example. Not being able to use UPS or other major couriers to, say, send them in for repairs will be a pain. (Why, yes, this is having some profound effects on my job at the moment....)
"Does rot13 suffice?"
Encryption in these laws need only be defined as a process which transforms the data such that the result has appropriate statistical properties.
A low serial correlation coefficient or a high entropy would do the trick. Just pick values to specify in the rules that will cause good algorithms to be accepted and undesireable ones to be discarded.
In this way, the stupid choices are likely to be eliminated, and new good algorithms may be used without any changes to regulations or legislation being required.
[sigh] How come Citigroup, and all the other financial institutions having lost tapes, disks etc in the past, didn't think about _encrypting_ anything leaving their premises? Not just to be shielded from SB1386 or the like, to protect their customers dammit. They have no excuse whatsoever, should be shamed, and I'm glad mandatory disclosure helps.
(Oh, while I'm at it, I'd bet those backups didn't and still don't provide any authentication either. Bah, who whould need such a thing anyway, it's only financial data after all...)
This will only stop when companies are liable for data loss. I'm not talking about a fixed fine per person, I mean liability for every cent that is stolen as a result.
It will never happen, therefore it will never stop.
Not sure of your comment about it being "unlikely" bad guys got their hands on lost data. It's somewhere and UPS does not know where that is. My experience with their tracking is that security is on the highest level.
With the ChoicePoint, LexisNexis, etc., incidents, it is clearly beginning to escalate out of control. One of the major problems is that these companies down-play what might happen to your stolen or lost data just because there is no evidence your private information has been used. The ID theft problem is much like the terrorist threat. They can lie in waiting until everything cools down, then strike. They still have all your personal data, which isn't going to change, and which probably will receive a minimum increase in protection, even after being compromised. I speak from 35 years experience in the junk mail industry as a mailing list broker selling your name and private information.
Having turned activist to correct this situation, I believe each individual should have 100% control over their name and personal data. Pass federal legislation to make this happen, which should also provide junk mail shoppers a piece of the action in the sale of your name ($4 billion yearly). You can read about it on my site: http://thedunningletter.blogspot.com.
Jack E. Dunning
Just read on CNN that some firm apparently lost 40 million credit cards. According to the article the attacker apparently installed a script to a database of a third party transaction handler that steals credit cards worth stealing based on certain transactions. Even though it's a serious issue it's becoming more or less hilarious. I bet sooner rather than later "information theft" in general will be considered commonplace and not worth reporting at all. Curiously, their response is apparently the same as what Bruce's been writing about. Instead of replacing those cards affected their response is to "monitor" the transactions of the cards affected trying to prevent fraudulent transactions on them. Anyways, I still have to wonder where they get those numbers from. I'd consider a hacked database compromised entirely, not just some parts of it.
i need to know the effect of data loss
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..