[BreachExchange] Prevent data breaches, don’t just report them

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 12 14:01:28 EDT 2017


Imagine if a state police department website listed every home burglary
that occurred in the past decade. The website contains each home’s address,
the items stolen and a precise description of how the criminals broke in to
each home.

Such a database would make little sense, as it would provide little public
benefit, and could even give burglars a roadmap for the future. But that’s
exactly what some states have done for cybercrime.

A growing number of state regulators publicly post details of data breaches
that have compromised the personal information of their residents. Although
these state websites are well-intentioned, they serve little public good
and ultimately increase the risks of additional data breaches.

All but three states require companies to notify customers when hackers
acquire sensitive information, such as credit card numbers and Social
Security numbers. Many of those states also require the companies to alert
state regulators and credit bureaus. The notices typically provide an
overview of the data breach, a description of the information that was
compromised and the steps that the company is taking to prevent additional

State data breach notification laws are a notoriously complex regulatory
morass, with each state imposing different requirements about the types of
data that trigger the notice requirements and the precise form of
notification that is required. For instance, while some states explicitly
require consumer notices to describe the general circumstances surrounding
the data breach, Massachusetts explicitly prohibits consumer notices from
describing “the nature of the breach.”

Failure to comply with these highly technical requirements exposes
companies to significant regulatory actions and private litigation. These
requirements are particularly burdensome for small businesses, which often
do not have dedicated legal and regulatory compliance departments. For more
than a decade, lawmakers have attempted to pass a single national breach
notification law that preempts the state requirements, but those efforts
have been unsuccessful.

Until Congress passes a single breach notification law, businesses are
stuck with the incongruous patchwork of state requirements. States hope
that these required notifications will place customers on high alert of
possible identity theft. These laws also are grounded in a name-and-shame
rationale: Companies might invest more in cybersecurity if they knew they
would be required to tell customers and regulators about data breaches.

The efficacy of state breach notification laws is debatable. A recent RAND
survey found that more than a quarter of U.S. adults received a breach
notice in the past year, and 89 percent of them continued to do business
with the company that reported the breach.

There is even less support for the claim that consumers benefit when states
such as California and New Hampshire post detailed information about
breaches on public websites, often including samples of the notices that
the companies provided to customers. This year, Massachusetts became the
latest state to publicize breaches of its residents’ information, though
its summaries are more limited than those in other states.

If a customer’s data was exposed in a breach, that customer presumably
would receive a notice directly from the company. State attorneys general
and other regulators also would have received a notice. The company already
has been named and shamed to the audience that matters most. It is
difficult to imagine the average customer routinely scouring state data
breach lists before deciding which business to patronize.

So it makes little sense why, for example, New Hampshire publicly posted a
letter from a hotel chain’s lawyer describing a malware attack that may
have exposed the credit card numbers of 30 New Hampshire residents. Nor is
it in the public interest for California to publicize that a healthcare
system’s vendor inadvertently left patients’ personal information
accessible via the internet.

Such information likely provides leads for plaintiffs’ lawyers to organize
class action lawsuits against the breach companies. Indeed, it would not be
surprising to learn that lawyers use such lists to find leads for potential

More troubling, however, is the possibility that the breach notice websites
provide a useful roadmap for cybercriminals. Hackers’ most valuable tool is
information. With this information, criminals could learn which companies
have failed to adequately secure customer data and the types of attacks
that are particularly effective against those companies. The online breach
databases also might alert criminals that customers’ personal information
is for sale on the dark web.

Of course, breach notices are not classified documents, so if a company
notifies thousands of customers, news of the breach likely will come from
the media and sources other than the state website. And companies often
issue press releases about large breaches. But these state websites provide
a centralized database not only of the large breaches at massive retail
chains, but also attacks on small businesses and nonprofits, which probably
cannot recover as quickly and protect against future breaches.

Just as the state police should focus on helping communities prevent crime
rather than publicizing the buildings that have open windows or weak locks,
state cybersecurity regulators should focus on preventing breaches from
occurring in the first place.

The public data breach lists are a symptom of a deeper problem: U.S.
cybersecurity laws place a disproportionate emphasis on notifying the
public after a breach has occurred. While notice always will play a role in
remediating harm, policymakers should shift their focus to preventative
measures, such as more robust and clearer data security standards and
incentives for investments in cybersecurity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170512/262a778c/attachment.html>

More information about the BreachExchange mailing list