Posts Tagged ‘breach notification laws’

Missouri has become the 45th state to enact data breach notification legislation! On July 9th, Missouri Governor Jay Nixon signed House Bill 62 into law; the law will go into effect on August 28, 2009. Though House Bill 62 deals with a number of different provisions in one law, it contains a section of security breaches.

The new data breach notification law would require that individuals be notified when their personal information were breached. The new law has broadly defined personal information to include not just financial information or Social Security numbers, in combination with names, but also any unique electronic identifier or medical information.

The new law requires that the Missouri Attorney General and national consumer reporting agencies be notified if the breach affects more than 1,000 individuals. Civil penalties for violating the statue may reach up to $150,000 per breach.

Via digestible law

Bruce Schneier has put together an excellent post about why we need Federal breach notification laws (something I stand behind as well). His post opens up with 3 reasons why we should have breach notification laws:

1. It’s polite to tell someone if you lose something of theirs
2. It provides stats to security researchers about the scope of the issue
3. It forces companies to improve security

The third point is based upon the premise is that companies who are forced to bear the costs of data breaches (both intangible in loss of trust and tangible in costs of notification) would take extra steps to protect said data. Schneier references a study done by researchers at the Carnegie Mellon University that seeks to determine if data breach disclosure laws have reduced identity theft. The study found that there was only a 2% decrease, on average, in identity theft for states with disclosure laws vs those without disclosure laws.

Bruce Schneier points out that the study can’t be relied on for this type of data. Since more data breaches are being reported now vs five years ago, notification laws or not, it’s difficult to compare “before and after” data. However, he also brings up a number of other issues: ineffective security improvements, types of data breaches, the reduction of the ’shaming’ effect, and more.

A recent study by the Ponemon Institute, which was sponsored by PGP, now puts the cost of a data breach at $202 per record. However Schneier believes that the hard cost to breach notification is not as effective an incentive as it used to be. Yet he argues that the other points still merit the law:

“Disclosure is important, but it’s not going to solve identity theft… The reason theft of personal information is common is that the data is valuable once stolen. The way to mitigate the risk of fraud due to impersonation is not to make personal information difficult to steal, it’s to make it difficult to use.”

Breach notification laws only deal with one side of the identity theft problem. Schneier argues that further laws are necessary to prevent financial institutions from granting credit to someone with minimal personal information.

—

And if you’ve ever left your computer on while you stepped away from it, or if you’ve ever forgotten to log out of secure systems, this should stop you from that habit. Someone like Jeff may be nice enough to teach you a hard lesson – but more than likely, someone will do something far worse.

Image: xenia / morguefile