TOC Decorative data breach notifications Your Turn

January 25, 2011

I apologize for what might be a breach of decorum. Responding to the consultation on data privacy launched last month by the Department of Commerce, I cannot help but leak out part of my answer in advance.

The DoC is considering "ensuring effective, nationally consistent security breach notification rules" (1) and wonders how to best achieve this goal.

I hasten to say this is a worthy goal. True, many will find such an initiative a bit tardy, coming more than eight years behind California (2). But there are advantages to leave the latter play the role of a law laboratory. The readiness of the several US states to follow its leadership provides the DoC with a strong argument with which to convince the targets of a law. Even if it bites, better a consistent US law than a hodgepodge of state laws.

Nonetheless eight years is a long time, especially for Internet. Think of what his lack of imagination did to André Maginot's reputation (3). His famous Line was behind the times. Unless it looks ahead, a US rule of data breach notification is in danger to meet with the same decorative fate.

Once communicated, information cannot be kept forever secret and, once public, it cannot be called back. Information might be considered the oxygen of democracy, in reality it behaves closer to hydrogen, the gas which leaks most readily. I call last week to testify.

In a two years' echo, "a former senior Swiss bank executive [...] ha[s] given [...] Wikileaks [...] details of more than 2,000 prominent individuals and companies" report Ravi Somaiya and Julia Werdigier from London (*). "Federal prosecutors arrested two men [...] on charges of fraud and conspiracy in obtaining and distributing the e-mail addresses of 114,000 iPad 3G owners", report Nick Bilton and Jenna Wortham from Newark (**). "Silvio Berlusconi's battle with prosecutors [...] intensified [...] as all 389 pages of investigation were leaked on the internet", reports Guy Dinmore in Rome (***). "Ms Chiesi [...] pleaded guilty [...] for passing inside information about technology companies to hedge funds and others", reports Kara Scannell in New York (****). "Downing Street's communications director, Andy Coulson, resigned [...] amid continued questions about his possible involvement in the illegal hacking of celebrity telephone messages", reports Sarah Lyall from London (*****).

Not to let my national pride suffer. A French car manufacturer has fired three employees whom it suspects of having passed company secrets to foreign competitors. Humdrum! But wait. Read David Jolly's latest report (******). "The whole story is supposed to have been started with an anonymous denunciation" says the lawyer of one of the Renault three. Since "the only details of the investigation have come in leaks to the news media", the public has been leaked news that an informer leaked to Renault that spies had leaked confidential information. Now that is a cascade!

Sure the past week made my day but perhaps my evidence rests on a biased sample. Alas for American consumers, whole sites are devoted to data breaches (4). My next witness is the Identity Theft Resource Center (5). Per its statistics, 2010 saw 662 breaches affecting 16 million records, 2009 saw 498 breaches affecting 223 million records. The latter figure includes 200 millions leaked in just two events, from Hearland Payment Systems and the US Military. But go tell fishermen along the Gulf coast that the recent BP gusher should be excluded as an exception.

Yet the Identity Theft Resource Center only tabulates breaches which are credibly reported and include "an individual name plus Social Security Number, driver's license number, medical record or financial record / credit / debit card". This is but the tip of the iceberg.

With its HADOPI law, the French State has made it official an IP (Internet Protocol) address is as good as a name. Think that, three years ago, personal information tracked by IP amounted to hundreds of billions of "events". Now it would be curious if none of this ever leaked, wouldn't it?

Account then for breaches which are not reported or do not disclose the name but some other personal identifiable information aka PII of the kind which adds to what Paul Ohm calls "the database of ruin". The total is likely to affect every of the 110 million US households several times a year.

Eight years ago the California breach notification law made its residents aware their personal information was at risk. But with repetition, soon came what has been called breach fatigue and, perverting the goal of the law, consumer indifference. Indifference was also the state of the French soldiers in Maginot's bunkers, during what they called "la drôle de guerre", the phoney war (6).

So should the DoC stop its effort to pass a breach notification rule? Certainly not, but it must find a way to regain the initiative. Requiring companies today to say "sorry, dear consumer" is akin to let them give a gallic shrug, "leaks happen, get used to it".

Yet a security data breach breaches what amounts to an implied contract with the consumer. If a crime has been committed, surely it is against the organization which suffered the breach but this does not absolve it from any civil responsibility. "Leaks happen" is not a legitimate excuse.

Look at when an airline company overbooks a flight. It backs its profuse apologies to stranded passengers with a financial compensation, whether free tickets, a stay in a hotel or straight cash. This is the model I urge the DoC to follow.

Let the DoC establish a schedule of payments due to each consumer affected by a leak. It would apply to all organizations which spring a leak according to their size, the nature of the personal information they store and their business model. For instance a small business which holds non sensitive consumer information for the sole purpose of fulfilling a consumer order would pay less than a large company which accumulates health related data for the sole purpose of enabling some targeted advertisement scheme for over the counter drugs.

Make knowingly failing to notify a criminal offense. What would be the impact? A strategic breakthrough to put the DoC on par with Manstein (7).

Forget consumer breach fatigue. Everyone listens to money. Adieu company recklessness. They would rush to insure themselves against what would suddenly be a clear, measurable, financial risk to them. Farewell burdensome rules to ensure consumer safety. The insurance industry would quickly recognize effective investments in security measures with lower premiums. Innovation would no longer favor solutions biased against eprivacy.

Imagine Facebook facing a $100 expense per consumer breach. Mark Zuckerberg might decide to act preventively rather than follow in the foot steps of Tony Hayward. His Russian investors might even prevail on Prime Minister Putin to crack down on Russian hackers.

Facing the heavily armored knights of pronaocracy, will the DoC listen? Once more unto the breach, dear friends, I say.

Philippe Coueignoux

January 2011
Copyright © 2011 ePrio Inc. All rights reserved.