Federal data breach law should be approached with caution

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Adam Levin. ThirdCertainty

With each pass­ing brand-name megabreach—Home Depot, Tar­get, JPMor­gan Chase, Anthem—it becomes ever more urgent for gov­ern­ment and indus­try to get on the same page about how to pro­tect consumers.

Sad­ly, not all laws are cre­at­ed equal, and there are few bet­ter exam­ples of this home­spun truth than a would-be fed­er­al law cur­rent­ly wend­ing its way through Con­gress. And not to put too fine a point on it, the Data Secu­ri­ty and Breach Noti­fi­ca­tion Act of 2015, in its cur­rent form, has a long way to go before it should become the law of the land.

Secu­ri­ty & Pri­va­cy News Roundup: Stay informed of key pat­terns and trends

The Data Secu­ri­ty and Breach Noti­fi­ca­tion Act of 2015, “aims to tack­le the nation’s grow­ing data secu­ri­ty threats and chal­lenges.” So far, that sounds pret­ty good to me. The bill was writ­ten by Ener­gy and Com­merce Com­mit­tee Vice Chair­man Mar­sha Black­burn (R-Tenn.) and Rep. Peter Welch (D-Vt.), mak­ing it a bipar­ti­san effort. The goal: to imple­ment “a com­pre­hen­sive plan to help safe­guard sen­si­tive con­sumer infor­ma­tion and shield Amer­i­cans from the harm­ful con­se­quences of cyber attacks.”

I’ve writ­ten else­where about the need for a fed­er­al breach noti­fi­ca­tion law, so in the­o­ry I’m on board. A strong fed­er­al law that requires busi­ness­es and gov­ern­ment enti­ties to inform peo­ple that their per­son­al infor­ma­tion has been com­pro­mised in a data breach can absolute­ly be a good thing … if it’s done right.

The prob­lem with this pro­pos­al is that there are far more effec­tive laws already on the books in sev­er­al states, and they could be pre-empt­ed if the bill were to pass. If that weren’t bad enough, the pro­posed bill also could super­sede stronger rules already put in play by the FCC with regard to tele­phone, broad­band Inter­net, cable and satel­lite user information.

The under­min­ing of bet­ter laws is bad, but worse is the way the Data Secu­ri­ty and Breach Noti­fi­ca­tion Act of 2015 under­scores a con­tin­u­ing fail­ure of our lead­ers to ful­ly under­stand the nature of the prob­lems we face in the mare’s nest that is con­sumer pri­va­cy and data security.

In a wide­ly pub­li­cized sur­vey con­duct­ed by the Pew Research Cen­ter, “91 per­cent of adults in the sur­vey ‘agree’ or ‘strong­ly agree’ that con­sumers have lost con­trol over how per­son­al infor­ma­tion is col­lect­ed and used by com­pa­nies.” Data breach­es, and the iden­ti­ty theft that flows from them, have become the third cer­tain­ty in life. We need a strong fed­er­al law, but any pro­posed bill that threat­ens to weak­en exist­ing laws has to be chal­lenged, quick­ly and with­out equivocation.

Rea­sons to be wary

Lau­ra Moy, senior pol­i­cy coun­sel at New America’s Open Tech­nol­o­gy Insti­tute, elo­quent­ly out­lined the prob­lems this bill could cre­ate in her recent tes­ti­mo­ny before the House of Representatives.

In a wide-rang­ing dis­cus­sion of the major con­cerns raised by the bill, Moy point­ed out some of the laws that could be pre-empt­ed. One was California’s Song-Bev­er­ly Cred­it Card Act, which made it ille­gal to record a cred­it card holder’s per­son­al iden­ti­fi­ca­tion infor­ma­tion dur­ing a trans­ac­tion. Anoth­er law in Con­necti­cut out­law­ing the pub­lic post­ing of any individual’s Social Secu­ri­ty num­ber also was named. Both state laws rep­re­sent sol­id advances in the realm of data secu­ri­ty, and both might be pre-empt­ed if the bill mov­ing through Con­gress succeeds.

And here’s the real­ly bad news: They would be two of the less alarm­ing casualties.

The prob­lem with the bill hinges on the way that it tries to sep­a­rate pri­va­cy from data secu­ri­ty, but they are inex­tri­ca­bly inter­twined. This could weak­en or even elim­i­nate pro­tec­tions for the many kinds of information—like your email address, for one—that fall out­side the bill’s nar­row def­i­n­i­tion of the per­son­al data that is cov­ered. That’s why this mat­ters so much.

As Moy argued dur­ing her tes­ti­mo­ny, “Many laws that pro­tect con­sumers’ per­son­al infor­ma­tion [can] be thought of simul­ta­ne­ous­ly in terms of both pri­va­cy and secu­ri­ty.” I will go one step fur­ther and say that I do not believe it is pos­si­ble to dis­cuss data secu­ri­ty until we have a worst-case sce­nario def­i­n­i­tion of what con­sti­tutes per­son­al­ly iden­ti­fi­able infor­ma­tion in the eyes of an iden­ti­ty thief.

To give an exam­ple of the kinds of pre-emp­tion that are pos­si­ble here, Florida’s pri­va­cy law includes email and a consumer’s user­name-pass­word com­bi­na­tion in its def­i­n­i­tion of per­son­al infor­ma­tion, the log­ic being that con­sumers use the same com­bi­na­tion for many dif­fer­ent login pages, includ­ing finan­cial accounts.

A hand­ful of states cur­rent­ly man­date the same standard—California, Mis­souri, New Hamp­shire, North Dako­ta, Texas, Virginia—and on July 1, Hawaii and Wyoming will join them. Under the cur­rent­ly pro­posed bill, a busi­ness would not have to noti­fy you if your email and user­name-pass­word com­bi­na­tion were involved in a breach. Mean­while, the above kinds of infor­ma­tion con­tin­ue to be high­ly exploitable data points in an iden­ti­ty thief’s toolkit.

In addi­tion to the exemp­tion of breach­es that “only” include email address­es or user login details, the bill is unclear about per­son­al infor­ma­tion relat­ed to telecom­mu­ni­ca­tions, cable and satel­lite cus­tomers, which hinges on a trig­ger of “autho­rized access,” and Moy believes it may super­sede impor­tant pro­tec­tions cre­at­ed by the Com­mu­ni­ca­tions Act. Most alarm­ing is the prospect of less robust noti­fi­ca­tions regard­ing com­pro­mised cus­tomer pro­pri­etary net­work infor­ma­tion (CPNI) that includes texts, phone calls, every loca­tion where you were when you made this or that phone call, your loca­tion when you didn’t make a phone call, and the loca­tion of all your net­work-con­nect­ed devices.

All this infor­ma­tion could be breached, and this pro­posed law says you don’t need to know about it. The same goes for what you watch on tele­vi­sion, includ­ing any items you may have pur­chased on Pay-Per-View. All of it could, hypo­thet­i­cal­ly, be out there open to pub­lic perusal. Every site you ever vis­it­ed online. Every call. Every text.

And what about your pro­tect­ed health infor­ma­tion (PHI)? Crit­ics note the bill doesn’t men­tion it, which at first blush seems like a four-alarm-fire lev­el of non­com­pre­hen­sion. How­ev­er, whether the prod­uct of par­ti­san war­fare or com­mon sense, it’s actu­al­ly a bit of good news. Because it has been entire­ly carved out here, most forms of PHI actu­al­ly would still be cov­ered by the noti­fi­ca­tion require­ments of the HIPPA/HITECH Act—with a few notable pre-emp­tions of exist­ing state law affect­ing over-the-counter pur­chas­es and oth­er health-relat­ed items.

Bytes may come back and bite

Accord­ing to the nar­row log­ic of the pro­posed leg­is­la­tion, a breach of any of the above infor­ma­tion will not result in finan­cial dam­age, which is the rea­son it isn’t cov­ered. It’s a posi­tion eas­i­ly brushed aside with one mind-blow­ing word of refu­ta­tion: Extor­tion. Scam artists have count­less tricks up their sleeves, and the onus to antic­i­pate the adap­tive nature of crime falls on leg­is­la­tors. A sin­gle text or rent­ed video could poten­tial­ly ruin a person’s life, and fraud­sters know that. If the wrong per­son has access to the above data points—and any of those bytes con­tain infor­ma­tion that might harm you pro­fes­sion­al­ly or personally—they most cer­tain­ly could be used against you for finan­cial gain.

A recent Sci­ence study showed that with just a few data points (Insta­gram posts and tweets) it was pos­si­ble to re-iden­ti­fy anonymized data about cred­it card pur­chas­es with the unique con­sumer who made them. While it may seem off the beat­en path, the pro­posed bill, with its nar­row def­i­n­i­tion of what should be cov­ered, would not cov­er a glitch in Instagram’s code that revealed pro­tect­ed accounts to the public.

For the end user unaware that their pri­vate posts were view­able, and that those posts could be used to re-iden­ti­fy data that is pub­licly avail­able, the above hypo­thet­i­cal sce­nario fea­tur­ing a “finan­cial­ly harm­less” com­pro­mise (that revealed every pur­chase made on an individual’s cred­it card) could be a life changer—and not for the better.

What we real­ly need in the fed­er­al gov­ern­ment is some­one in a posi­tion of author­i­ty with the exper­tise and knowl­edge to make sure any­one exposed in a breach knows about it, and is informed about the poten­tial fall­out as far as cur­rent intel per­mits as quick­ly as pos­si­ble. Call this per­son a breach tzar, if you will. Since data-relat­ed crimes are often quite inge­nious, isn’t it best to err on the side of cau­tion? The fact is that any fed­er­al law aimed at pro­tect­ing con­sumers from the dan­ger of iden­ti­ty-relat­ed crime needs to be best-in-class, and far bet­ter than all the exist­ing state laws com­bined, and, while it should go with­out say­ing, it must not super­sede stronger exist­ing pro­tec­tions afford­ed by non­state agencies.

There is still a yawn­ing gulf between what’s been done so far and what needs to hap­pen in the realm of cyber leg­is­la­tion. The pro­tec­tions we deserve are a work in progress, one that the entire con­stel­la­tion of con­sumer advo­cates and data-secu­ri­ty experts must solve in con­cert. In the same way data-relat­ed crimes are con­stant­ly evolv­ing, we need to get into the habit of respond­ing to the very biggest pic­ture we can imagine.

Full dis­clo­sure: IDT911 spon­sors Third­Cer­tain­ty. This sto­ry orig­i­nat­ed as an Op/Ed con­tri­bu­tion to Credit.com and does not nec­es­sar­i­ly rep­re­sent the views of the com­pa­ny or its partners.

Adam Levin is chair­man and co-founder of Credit.com and Iden­ti­ty Theft 911. His expe­ri­ence as for­mer direc­tor of the New Jer­sey Divi­sion of Con­sumer Affairs gives him unique insight into con­sumer pri­va­cy, leg­is­la­tion and finan­cial advo­ca­cy. He is a nation­al­ly rec­og­nized expert on iden­ti­ty theft and cred­it. More by Adam Levin

More on emerg­ing pri­va­cy concerns
Mys­tery shrouds con­sumer pri­va­cy invasion
A call for a data breach warn­ing label

For­mer FTC con­sumer chief: pri­va­cy regs needed



Posted in Cybersecurity, Data Breach, Guest Essays