Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

3/27/2018
10:00 AM
Dallas Bishoff
Dallas Bishoff
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Privacy: Do We Need a National Data Breach Disclosure Law?

Some say we need a more consistent approach, while others worry a national law might supersede and water down some state laws already on the books.

The demand for a national data breach disclosure law is, in part, a broader topic about privacy management and regulation on a national basis. The United States' approach to privacy management is largely industry-sector driven — and, as a result, mandates are fragmented.  

At a fundamental level, we all have personal identities and, as an extension, digital identities. They can be thought of as personal possessions — basically, as assets. The fact that our identities can be misused makes them a potential liability, as well, creating the legal basis for harm, neglect, and damages. The point of a national data breach disclosure law is focused on promising a consistent approach that gives the public more assurance.

Modern consumers need more confidence in how their identities are used and managed on the Web, and they need reassurance that, when necessary, they will be notified so they can take actions to protect themselves from the dark side of the Internet world. The Internet is not inclined to protect the public, so laws are necessary.

Identity, the protection of our identity, and what is the basis for privacy management is not a new topic, or something created by an out-of-control, artificial intelligence-driven computer society. Early writing on the topic includes "The Right to Privacy," written by Samuel Warren and Louis Brandeis and published in an 1890 issue of the Harvard Law Review. At that time, a new technology, photography, was all the rage in claims of privacy invasion. A picture is — and will continue to be — personal identifiable information (PII). PII instantiates your identity, which in turn can be used to violate your privacy without your consent. However, as technology pushes endless boundaries, we find that principles and laws are strained to remain up to date and relevant.

Right now, the US does not have a national privacy management standard, per se, and certainly there is no uniform breach notification law. Instead, the United States treats the regulation of privacy as an industry-centric issue. We have healthcare laws that address privacy, but only when the privacy data is protected health information, a form of PII. We also have commercial credit laws mandated by the Consumer Credit Protection Act, enacted in 1968. Of course, there are other examples, which demonstrate that the federal government does not have a single, uniform approach.

Instead, the federal government has left this up to the states, creating a patchwork of laws. The National Conference of State Legislatures website depicts the wide ranging approach of the states. This creates a tremendous burden on the business community.

An Incentive Not to Report
In the US, an identity is compromised every two seconds. Globally, in 2017, 26.1% of all companies confidentially surveyed in the 2017 Thales Data Threat Report reported a breach, up from 21.5%. Across all companies worldwide, 67.8% confide that they have experienced a breach at one point. Within the US, that number is 73%. These numbers, startling or not, do not set aside the fact that companies have incentives not to report without a compliance mandate. Note the logic: if there is no penalty for failing to report a breach, why would a company want to report a breach? If nobody else knows, then damage to reputation, the cost to address the breach, and action against a company may be avoided. Without legal mandates, companies have incentives not to report.

In recent weeks, both retailers and financial services firms have called on the US Congress to create a federal data breach disclosure notification law that supersedes state data breach notification laws. They contend a federal standard would simplify compliance and make the threshold for disclosure clear to businesses and consumers alike. However, there are alternative views.

Some would argue that 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation already. Therefore, Congress need not rush in to fill a vacuum that does not exist.

Others, such as the American Bankers Association, argue that the patchwork approach, rules, criteria, response, and definition of terms are inconsistent, and put an ever-increasing burden on US businesses.

However, many of the states that have breach notification laws are concerned that a federal approach could supersede and reduce protections enacted to protect their state citizens. Remember, the states took action because the federal government failed to do so.

Some argue for a national law that would allow each state to enhance the protections. The net results, though well intended, may be even more convoluted.

Then there is the state revenue dilemma. Superseding state laws and invoking federal standards, rules, fines, and penalties would deplete revenue generated by state jurisdiction and venue for legal redress.

Others would continue the argument that a data breach depends on the nature and type of data. A healthcare breach is not the same as a financial system breach or a retail data breach. Those that trade in stolen identities might support this argument, noting that a compromised healthcare identity trades on the black market at a higher price premium than other compromised identity.

Here is what cannot be argued: your identity is an asset and, when violated, can be a liability that enables identity theft and general invasion of privacy. If I, as an individual, entrust my identity to the charge of another individual or entity, I have a reasonable expectation for responsible behavior. If an entity loses control over my identity, I have a reasonable expectation to be informed in a timely manner so that I, too, can take actions to mitigate the risks of any compromise and adverse outcome to my identity.

That starts with timely notification so that I can act defensively. There may be many perspectives on privacy, but there's undeniably a need for timely breach notification.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Dallas Bishoff manages security consulting services for PCM. He is responsible for profit/loss, utilization, staff growth and capabilities, customer satisfaction, and both creation and oversight of standardized security offerings including: vCISO, GRC assessments, PCI ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2018 | 6:42:18 PM
Re: Victim Shaming
@Dallas: On this "victim shaming", I'm going to suggest that in some cases it's well deserved. Facebook deserves it now and deserved it in 2012 because of how they have disrespected users and their data for so long. Uber deserves it too, for similar reasons. The healthcare industry DEFINITELY deserves it because they are lagging behind so much -- and because people don't have as much choice about their healthcare providers or insurance carriers. And it's a huge motivator for e-commerce -- because they know that the brand damage will simply cause people to move to another platform (unlike with, say, a bank; people aren't going to en masse move investment accounts and mortgages and credit cards because of a little breach -- especially considering the consumer protections in financial services).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2018 | 6:36:55 PM
Re: Web
Sure, but we ALREADY HAVE numerous state laws here. Federal law on data-breach notification specifically isn't going to add any meaningfully significant privacy protections (unless there was to be a severe cracking down, with far stricter requirements and shorter deadlines than even the strictest states require -- which would have its own drawbacks) except to further confuse compliance officers and confound compliance efforts -- the cost of which get passed on to customers, meaning that these companies now need to sell even MORE user data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2018 | 6:33:37 PM
Let's leave it alone.
I understand the concerns, but at this point, it doesn't matter much. Almost all the states have their own laws here, and the strictest states (effectively MA, CA, and -- where PCI-DSS is concerned -- MN, NV, and WA) effectively create "floors" for national/regional organizations. To put federal law/regulation on top of this all would seriously muck things up even more for compliance efforts, IMHO.



(Disclaimer: This post is provided for informational, educational and/or entertainment purposes only. Neither this nor other posts here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)
DallasBishoff
50%
50%
DallasBishoff,
User Rank: Author
3/28/2018 | 9:00:13 PM
Re: Victim Shaming
It is important to note that most people who provide their privacy information to a third party are doing so for the purpose of receiving a service, or participating in a collective social forum. Many organizations cannot provide the service to an individual without collecting personal information. For instance, any transaction that involves a credit card payment. In that regard, there is no basis for "victim sharing." The individual has done nothing more than picked a service provider. Unfortunately, sometimes these types of data sets are compromised. 

Now, if you are referring to an independent vendor with a data set that includes privacy data, many of them are already very sensitive to the reputation risk associated with a data breach. In a breach, they too are a victim, noting that a compromise may involve a criminal act. However, not all breach scenarios involve criminal acts. There is a long history of data disclosures that are a result of simple human error - an access control mechanism was not implemented properly, and the ability to freely discover and access the data was both possible, and actually occurred. 

In summary, victim shaming is not going to make the landscape better. Problems are solved through addressing the root cause, and not symptomatic attributes. However, thank you for your thoughts. As the author of the article, I hope that you benefited from the perspective presented.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:09:35 PM
Re: Victim Shaming
Yes, we need to do more to protect the data and privacy. I agree. There is a shared responsibility everybody needs to pay attention and do their parts, and then there is criminals we need to go after.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:06:21 PM
Re: Victim Shaming
Easier to go after the victim and blame them for what they could have/should have/might have done differently. This make sense, at the same time when it comes to security it is everybodys responsibility.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:03:59 PM
Re: Victim Shaming
Maybe it's time that we return to criminalizing the criminal instead of the victim This is a good point to raise. Holding the criminal responsible is the way to go.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:02:29 PM
Standard
They contend a federal standard would simplify compliance and make the threshold for disclosure clear to businesses and consumers alike. This may be good to get early notification when there is a breach, if you remember yahoo, they reported it 4 years later.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 6:59:10 PM
Two seconds
In the US, an identity is compromised every two seconds. This is really very scary to hear. There has to be a better way to manage security of our indentity
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 6:55:43 PM
PII
We have healthcare laws that address privacy, but only when the privacy data is protected health information, a form of PII. PII may apply outside of healthcare as far as I understood, for healthcare there is PHI protection.
Page 1 / 2   >   >>
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.