Perimeter
1/27/2012
06:02 PM
Commentary
Commentary
Commentary
50%
50%

The Mechanics Of Breach Notification

Organizations need to know what constitutes a breach of identity data according to state laws and how to respond

The vast majority of states and territories in the U.S. have rules requiring organizations managing personal information to notify affected parties if their private information has been breached. In my previous blog, I summarized the similarities and differences between what constitutes personal information in various states and which laws apply. In this post, I'll talk about what a breach is and what needs to happen when a breach occurs.

What Constitutes A Breach?
Understanding the definition of a breach will enable you to both protect your data and ensure that you don’t waste your time reporting breaches when one hasn't happened. State laws are relatively consistent with their definitions of breach. Here’s a condensed version of the definition in Massachusetts General Law 93H:

The unauthorized acquisition or unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key protecting it that creates a substantial risk of identity theft or fraud against a resident of the commonwealth

The key points of the definition are that the identity data needs to be unencrypted or able to be decrypted by the attacker, and the breach must pose a threat of identity theft or fraud. This means that the theft of encrypted tapes or encrypted files from a laptop do not constitute a breach. That is, unless the encryption key happened to be stored with the data. It also suggests that organizations should encrypt their data to avoid breaches.

The language about risk makes it clear why the law (and other state laws) call out the following exception:

A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure

This means that transmission of the personal information to a partner in error or some other innocent act without unuauthorized use or disclosure is also not considered a breach.

Who Do You Notify And How?
The mechanics of notification differ slightly from state to state, but, typically you need to notify the attorney general, the affected party, and usually law enforcement. The method for notification varies, as well, but the typical approach is to require written notice or a "substitute notice" if the cost of notification is extreme. In Massachusetts, extreme costs are over $250,000, if the number of residents affected exceeds 500,000, or the organization has sufficient contact information for the victims.

Substitute notice requires the organization to do all of the following:

(i) electronic mail notice, if the person or agency has electronic mail addresses for the members of the affected class of Massachusetts residents;

(ii) clear and conspicuous posting of the notice on the home page of the person or agency if the person or agency maintains a website; and

(iii) publication in or broadcast through media or medium that provides notice throughout the commonwealth Notification: an expensive problem

As you can see from this description, notification is an expensive endeavor. However, it can be made much less expensive if you plan. Knowing the data affected, whom you need to contact, how to reach them, and what needs to be communicated can take a long time. Now, it would be best if you could avoid breaches altogether, but they happen every day, and they need to be dealt with.

Richard Mackey is vice president of consulting at SystemExperts Corp.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcarleton920
50%
50%
jcarleton920,
User Rank: Apprentice
1/30/2012 | 3:52:17 PM
re: The Mechanics Of Breach Notification
Would a list of customer emails from an online merchant constitute a breach?

If not, what about emails and hashed passwords? -Those with weak passwords would have their passwords hacked while those with strong passwords may not? -Would you notify everyone?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.