Data Loss Prevention Strategy

Transparency as Compliance with Data Security Regulation

How are data holders to comply with the swelling riot of data security laws?  These laws include breach notification laws, which require that individuals and/or government be notified when the security of private data has been compromised.  Perfect compliance is impossible.

Almost all the states have adopted breach notice laws – though they are not uniform – and legislatures are expanding the scope of the laws.  

The original law from California (effective six years ago) focused on identity information – name plus social security number, driver’s license number or financial account number.  Then the California legislature expanded its law to also include breaches of medical data. That expansion became effective January 1, 2009.  Result?  In the first five months of 2009, California authorities were notified of a whopping 823 healthcare data breaches, mostly through self-reporting by healthcare entities. That’s just one industry, in one state, in five months.  And California authorities anticipate that the flow of notices will rise as people in the healthcare community become better aware of the new law. 

A data breach can occur in myriad ways:  a misdirected fax or e-mail, a hacking incident or snooping by an employee.

Meanwhile, we see floods of breach notices issued in other states and other industries – retail, nonprofit, colleges, financial, professional services, water districts, school districts, county government, municipal government, state government, federal government.  No organization is immune.  As these laws sit longer on the books, the flow of notices grows larger and larger.

Why are there so many notices?  The reason is that the laws assume that 100% data privacy can reasonably be achieved.  They further assume that any shortcoming (or suspected shortcoming) of data privacy should be an unusual event within well-managed enterprises.  The assumptions are wrong.  
The expectations of the public, and especially the expectations of policy makers, are out of touch with the reality of modern data management.  These outsized expectations contribute to a growing risk of monetary liability on the part of data holders.

So what are data holders to do?  Obviously they need to invest in data security, training and investigation – and they have been.  But banks, schools, utilities, clinics, hospitals, merchants and government agencies can throw massive investments at this problem and never meet present expectations.

Wise organizations will start talking in public about data security.  I recently recommended to a municipal power utility that it convene public forums on the topic, and involve community leaders such as representatives from the city council and the state's attorney general's office.  Organizations like a power utility need to inform the public about how challenging and expensive it is in reality to protect 100% of the data 100% of the time.  They need to explain in detail why it is impossible to close off all security risks while performing their regular services to the public.  And they need to seek input from stakeholders.

No, mere publicity and public dialog will not absolve organizations from issuing breach notices in compliance with law.  

But transparency – candid, open disclosure of problems in advance can influence how harshly authorities, such as courts, attorneys general or consumer protection agencies, interpret and enforce these demanding laws.  Our legal system has long held that organizations will be treated more leniently when they display diligence toward compliance with difficult laws.

Update:  Even e-mail security vendor McAfee inadvertently broadcast via e-mail a spreadsheet containing details (including dietary preferences) of some 1408 conference attendees.

Update:  A data leakage audit of a Boston CPA firm revealed that staff made an astonishing 3200 data security slip-ups over the course of the 38-day audit.  This is a firm that believed it possessed the required policies and technology to protect data. Jackie Noblett, “One Firm’s Story: Your Data Isn’t As Secure As You Think,” Boston Business Journal, Dec. 26, 2008.

Another update:  A survey shows that mere accidents by employees account for far more data security breaches than do malicious actions by insiders.

One more update:  IT Security breaches soared in Canada in 2009.  The Globe and Mail, September 29, 2009.
 
–Benjamin Wright

At the SANS Institute, Mr. Wright teaches computer security law, where he stresses that a cyber-security program must include effective public communications. 

PII Security Legislation

Safeguard Anonymous Private Data?

Patterns of Behavior Are Protected Identifiers?

Privacy as a legal concept is in crisis. The law of privacy is becoming so expansive that the scope of the law is confusing, and literal compliance can entail strange and arduous effort.

Connecticut Legislation

Consider Connecticut’s new Public Act No. 08-167. Section 1(a) says, “Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties . . .” Then, Section 1(c) explains:

“As used in this section, ‘personal information’ means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.”

That seems like a breathtakingly broad definition.

Observe that it considers any “account number” as an identifier that triggers the requirement for security in Section 1(a). Public Act No. 08-167 does not define “account number,” which can make for surprising results for all kinds of organizations that collect money, including small ones like neighborhood parent-teacher associations. 

Surprising Case Example - Health Club Locker Number 

For example, suppose a small health club keeps track of membership payments according to locker numbers, which are viewable in the locker room. That practice may be a mistake under Connecticut’s law because anyone walking through the locker room could learn that my locker number, i.e., my account number, is “57". That unit of identifying information might be misused by, say, a snoopy debt collector who is investigating how much I spend on luxuries like club membership. Knowing my name and locker number, he could telephone the health club and say, “This is Ben Wright, and my locker number is 57.  Can you tell me how much I owe on my club membership this month?”

So, to say it in different words:  This little health club has opened itself to a lawsuit in Connecticut by doing something (making account number and locker number the same thing) that would seem to be perfectly natural and insignificant to anyone but the most paranoid of lawyers.

Behavior Patterns as Identifiers?

Although Connecticut’s law itemizes some identifiers like “account numbers” and Social Security numbers, its definition of personal information reaches wider than the itemized list.  The law regulates any and all “information capable of being associated” with a person through an “identifier.”

What kinds of information can be used to identify people by way of an “identifier?” What about patterns of behavior and patterns of social relationship? Could patterns of activity be “identifiers?” I don’t see why not.

Academic researchers have demonstrated that so-called anonymous data about human behavior can be used to identify individuals. For instance, researchers started with “anonymized” data from one Web 2.0 service, Twitter.  From this data, they ascertained the identities of individual Twitter users.  How did they do it? They drew on behavior data from another Web 2.0 service, Flickr.  By comparing maps of relationships from unnamed Twitter users with maps of relationships for known Flickr users, the researchers uncovered the identities of the Twitter users!

From the perspective of privacy, this research is chilling.

Is All Data About a Person Private?

Responding to this research, a privacy advocate is naturally inclined to say that no one should keep any data about anyone. 

While that response may be excessive, it does accurately reflect the privacy concern when anyone retains information about the patterns of behavior of individuals.

Another Case Example - Identifying People by Writing Style

So given how information about behavior patterns can serve as the “identifiers” of an individual . . . let's consider the following application of Connecticut law.  Suppose a small nonprofit in Connecticut works with volunteers to develop and publish opinions on controversial civil rights topics, such as abortion or homosexual marriage.  The organization attributes the opinions only to itself, without identifying the volunteers involved in writing them.  

Sally is one of those writer volunteers. The organization publishes a controversial opinion based largely on prose composed by Sally. Could the organization be violating Connecticut law simply by publishing Sally’s written words? Logically, the answer could be yes. Here’s the logic . . .

Examples of Sally’s writing – on non-controversial topics – appear in association with her name in many public places such as blogs, libraries, Facebook pages, LinkedIn comments, letters to the editor and so on.  

Research shows that people can be identified according to their writing style – syntax, word choice and so on.  In fact, researchers today track “anonymous” terrorists according to the style of their writing, records and communication on the web.

Hence, when the civil rights organization publishes Sally’s words, even with her name removed, it is failing to safeguard her personal information.  It is opening her to embarrassment and ridicule by people who disagree. Adversaries could analyze the patterns of behavior exhibited in the published words and ascertain that Sally is the author!  

In other words, in the legislative terms of Public Act No. 08-167, the organization failed to protect her personal identifying information (i.e., the patterns of her unique writing style woven into her text) from being "misused" to criticize her personally. 

What Does This Mean in Practice?

So what could the organization have done to comply with Connecticut law?  Before publishing Sally's words, the organization could have removed from the words the “identifier” linking to Sally by hiring a team of third-party writers to rearrange the words into anonymous writing style.

Shiver my timbers. Thats a lot of work for a small nonprofit, just to comply with Connecticut privacy law.  The regulation chills free speech.  Is that really what the Connecticut legislature had in mind?

Society faces an emerging conflict between the civil right of privacy and the civil right of free speech.

Global Impact of Strange Legislation

Notice that the foregoing conundrums arise from legislation enacted by just one small US state.  But in our Internet-connected world, the data privacy law of Connecticut can be applicable to the activities of an organization in Australia or Hong Kong.  Further, nothing prevents the legislature of Arizona, Pennsylvania, Michigan or name-your-jurisdiction from adopting law that is similarly strange and broad in scope -- all the while using words and standards that differ from Connecticut's.  

Full compliance with data privacy law has become very difficult.

–Benjamin Wright

Mr. Wright teaches data law, including electronic data discovery (EDD) at the SANS Institute.

Private Data (or Personally Identifiable Information) Definition

Data Leakage Law

The key to avoiding liability for data leakage is due diligence. As a broad generalization, the law of data security rewards those who are diligent, who exercise due care to prevent a compromise of privacy. Hence, if a data holder is diligent, but still suffers a mishap, it is less likely to be held legally liable when a data subject decides to sue.

For example, Guin v. Brazos Higher Education held a loan processor was not liable for a compromise of data security, in part because the processor had taken reasonable steps to protect the data (including a written security policy and risk assessment).

Reasonable steps, or due diligence, can include application of latest technology, such as filters that inspect outgoing data transmissions and scrub or block those that appear suspicious.  An e-mail filter would have been helpful to the Palm Beach County health department when an employee inadvertently broadcast a list of HIV/AIDS patients to 800 county employees.

When employing such filters, however, an issue is to know what to filter.  Obvious targets for filtering are Social Security Numbers and credit card numbers. But privacy is a context-specific abstraction. To understand which data are and are not private, organizations have to be sensitive.  For example, a person’s name plus postal address are normally not considered private.  That information is commonly published in directories like telephone books. However, as one of my SANS Institute students taught me, a public housing authority is wise to consider the name plus postal address of its residents to be private. The reason is that some residents are sensitive about living in public housing, and consider their postal address (at a public housing location) to be private!

Update: Netflix (the movie rental company) learned how context-specific PII can be.  Netflix gave "anonymized" data about the viewing interests of its users to researchers so they could help develop better algorithms for suggesting to users new movies they'd like to see.  But academics have shown that most any information about a person (such as movies watched) can be used to identify the person if it is matched with enough context (data on time, location and so on are good examples of context that can turn anonymized data into PII).  So Netflix’s research project drew a lawsuit saying the data it exposed to researchers was actually PII.  The project also attracted attention from government watchdog Federal Trade Commission.  Netflix settled the lawsuit and ceased that particular line of research.

--Benjamin Wright, computer security law instructor for SANS Institute (CLE and CPE).

Secured Personal Data On Stolen Laptop

Data Breach Notice to Employees and Dependents

Compromise of Password-Protected Computer Lost in Burglary

Anheuser-Busch notified thousands of employees that their personal data, and the data of their dependents, may theoretically be at risk of identity theft. The data were on a password-protected laptop, and the data were encrypted.

The case comes to light because one of the states involved, New Hampshire, requires notice be sent both to affected individuals and to the state attorney general, who publishes the notices on the web. New Hampshire’s law does not require notice if data were encrypted. AB says the data were encrypted. It also says it has no information suggesting the burglars are attempting identity theft. So why did it give notice?

My guess is that the company was motivated more by the politics of the situation than a strict reading of the law.