Emergent Chaos

In a somewhat incendiary piece published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed.

According to the article, which along with unnamed "security experts" also cites industry notable Avivah Levitan, "[t]here are three cases in which a company suffering a breach can bypass current notification laws". First is if notification would impede an investigation by law enforcement, then:

If the stolen data includes identifiable information--such as debit card account numbers and PINs--but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning.

Not quite. At least one state has a law that closes the quoted loopholes.

New York's law says the following:

    1                                ARTICLE 39-F

    2       NOTIFICATION OF UNAUTHORIZED ACQUISITION OF PRIVATE INFORMATION
    3    SECTION  899-AA.  NOTIFICATION; PERSON WITHOUT VALID AUTHORIZATION HAS
    4  ACQUIRED PRIVATE INFORMATION.
    5    S  899-AA.  NOTIFICATION;  PERSON  WITHOUT  VALID  AUTHORIZATION   HAS
    6  ACQUIRED  PRIVATE INFORMATION. 1. AS USED IN THIS SECTION, THE FOLLOWING
    7  TERMS SHALL HAVE THE FOLLOWING MEANINGS:
    8    (A) "PERSONAL INFORMATION" SHALL MEAN  ANY  INFORMATION  CONCERNING  A
    9  NATURAL  PERSON  WHICH, BECAUSE OF NAME, NUMBER, PERSONAL MARK, OR OTHER
   10  IDENTIFIER, CAN BE USED TO IDENTIFY SUCH NATURAL PERSON;
   11    (B) "PRIVATE INFORMATION" SHALL MEAN PERSONAL  INFORMATION  CONSISTING
   12  OF  ANY INFORMATION IN COMBINATION WITH ANY ONE OR MORE OF THE FOLLOWING
   13  DATA ELEMENTS, WHEN EITHER THE PERSONAL INFORMATION OR THE DATA  ELEMENT
   14  IS NOT ENCRYPTED, OR ENCRYPTED WITH AN ENCRYPTION KEY THAT HAS ALSO BEEN
   15  ACQUIRED:
   16    (1) SOCIAL SECURITY NUMBER;
   17    (2)  DRIVER`S LICENSE NUMBER OR NON-DRIVER IDENTIFICATION CARD NUMBER;
   18  OR
   19    (3) ACCOUNT NUMBER, CREDIT OR DEBIT CARD NUMBER, IN  COMBINATION  WITH
   20  ANY  REQUIRED  SECURITY CODE, ACCESS CODE, OR PASSWORD THAT WOULD PERMIT
   21  ACCESS TO AN INDIVIDUAL`S FINANCIAL ACCOUNT;

As can be readily seen, the encryption loophole is decidedly not present. Moreover, disclosure of a person's name and other private information is not necessary to trigger notification (although it is sufficient).

Inasmuch as this latest breach undoubtedly involves at least one New York State resident, it would appear to this layman that attempts to justify a failure to notify on either the "it was encrypted" or the "but they didn't steal any names" loopholes are perilous at best.

If state breach legislation is not pre-empted at a national level, others would do well to study the example set by the Empire State. (Updated to add specific mention of law-enforcement exception)