Team for Research in
Ubiquitous Secure Technology

Security Breach Notification Laws: Views from Chief Security Officers
Samuelson Law, Technology & Public Policy Clinic

Citation
Samuelson Law, Technology & Public Policy Clinic. "Security Breach Notification Laws: Views from Chief Security Officers". Technical report, University of California, Berkeley, December, 2007.

Abstract
At least 36 states have enacted legislation requiring organizations that possess sensitive personal information to warn individuals of security breaches. California led the way in the creation of these laws, driven by concerns about identity theft and lax information security. In following California's lead, other states have expanded upon the requirements of the California statute by, for example, requiring that organizations report breaches to a state regulatory agency. Much still needs to be learned about information security practices, security breaches, and the link between these breaches and fraud. However, the proliferation of state laws has driven many businesses to call for federal security breach legislation that overrides state law. Data holders have begun to question whether consumers pay attention to security breaches, and whether most security breaches result in identity theft. In the midst of calls for federal legislation, survey data collected on identity theft reveals that the crime is becoming more complex and difficult to track. Security breaches no doubt contribute to some identity theft, but it is unclear how much. Also, while some federal proposals require different notification policies based on the size of the security breach, since stealing identities is labor intensive, a small breach may be just as risky as a very large one. Organizations have not yet formulated notices that communicate security breaches effectively to consumers. The idea that consumers will become inured to notices and ignore warnings is a familiar refrain, but even if some customers ignore notices, apathy among some does not justify abrogating the rights of all to receive notices of security breaches. Furthermore, this problem suggests a remedy of creating better notices, rather than providing none at all. This study surveys the literature on changes in the information security world and significantly expands upon it with qualitative data from seven in-depth discussions with information security officers. These interviews focused on the most important factors driving security investment at their organizations and how security breach notification laws fit into that list. Often missing from the debate is that, regardless of the risk of identity theft and alleged consumer apathy towards notices, the simple fact of having to publicly notify causes organizations to implement stronger security standards that protect personal information. The interviews showed that security breaches drive information exchange among security professionals, causing them to engage in discussions about information security issues that may arise at their and others’ organizations. For example, we found that some CSOs summarize news reports from breaches at other organizations and circulate them to staff with "lessons learned" from each incident. In some cases, organizations have a "that could have been us" moment, and patch systems with similar vulnerabilities to the entity that had a breach. Breach notification laws have significantly contributed to heightened awareness of the importance of information security throughout all levels of a business organization and to development of a level of cooperation among different departments within an organization that resulted from the need to monitor data access for the purposes of detecting, investigating, and reporting breaches. CSOs reported that breach notification duties empowered them to implement new access controls, auditing measures, and encryption. Aside from the organization’s own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness. Though security breach notification laws rarely top the list of security professionals' priorities, organizations keenly understand that reputational harm may result from a breach. This has profound consequences in the enterprise. Security breach notification duties lead to more awareness and attention across different levels of management and, in some cases, they have led to specific security measures taken in response to this threat. All the organizations interviewed noted concerns that a public notification of a breach would damage their organization’s reputation and the trust behind their name. Almost all the information officers interviewed have at least implemented an incident response plan that formalized the procedures departments would follow to detect and investigate a security breach. In addition, some organizations took specific steps to assess the risk of a security breach, and respond accordingly. Others were satisfied that their security standards were strong enough, and therefore took no further steps. Security of personal data still is not a marketable characteristic for companies that sell directly to consumers, because consumers are unable to adequately gauge security methods when considering the importance of other product features. However, security is slowly gaining ground as a vital business feature for businesses that interact with and handle the sensitive data of other organizations. Organizations that are strengthening their own security mechanisms are increasingly requiring the same of third party vendors. This pressure strips away the reputation shelter from third party data collectors that lack direct interactions with the general public, and pushes towards a more uniform set of security practices. For instance, a data selling company interviewed for this study now allows external entities to audit its systems. Based on the benefits described above, this study proposes establishing a uniform set of notification requirements to maximize information exchange about security breaches: -Establish a uniform standard that requires public notice of all security breaches – to help security professionals track and adapt to incidents at other organizations and to ensure that all affected consumers are being provided with breach notices. -Establish a uniform reporting standard and require notification to a centralized organization in addition to consumers – to make information on breaches publicly available and allow industry professionals to reference breach reports for information on security vulnerabilities. -Clarify and broaden technology safe harbor provisions beyond encryption – to give better guidance to organizations on what types of security mechanisms are sufficient to prevent lost data from being accessible for the purposes of misuse and to incubate research into and adoption of other technologies that effectively render personal information useless if accessed without authorization. -Create a safe harbor period for notifications – to compromise between giving clear instructions on how quickly notifications must be given and providing enough flexibility for organizations to investigate and remedy security breaches. -Collect more information on the type of notification trigger language that should be used.

Electronic downloads

Citation formats  
  • HTML
      Samuelson Law, Technology & Public Policy Clinic.
    <a href="http://www.truststc.org/pubs/310.html"
    ><i>Security Breach Notification Laws: Views from
    Chief Security Officers</i></a>, Technical
    report,  University of California, Berkeley, December, 2007.
  • Plain text
      Samuelson Law, Technology & Public Policy Clinic.
    "Security Breach Notification Laws: Views from Chief
    Security Officers". Technical report,  University of
    California, Berkeley, December, 2007.
  • BibTeX
    @techreport{SamuelsonLawTechnologyPublicPolicyClinic07_SecurityBreachNotificationLawsViewsFromChiefSecurity,
        author = {  Samuelson Law, Technology \& Public Policy Clinic},
        title = {Security Breach Notification Laws: Views from
                  Chief Security Officers},
        institution = {University of California, Berkeley},
        month = {December},
        year = {2007},
        abstract = {At least 36 states have enacted legislation
                  requiring organizations that possess sensitive
                  personal information to warn individuals of
                  security breaches. California led the way in the
                  creation of these laws, driven by concerns about
                  identity theft and lax information security. In
                  following California's lead, other states have
                  expanded upon the requirements of the California
                  statute by, for example, requiring that
                  organizations report breaches to a state
                  regulatory agency. Much still needs to be learned
                  about information security practices, security
                  breaches, and the link between these breaches and
                  fraud. However, the proliferation of state laws
                  has driven many businesses to call for federal
                  security breach legislation that overrides state
                  law. Data holders have begun to question whether
                  consumers pay attention to security breaches, and
                  whether most security breaches result in identity
                  theft. In the midst of calls for federal
                  legislation, survey data collected on identity
                  theft reveals that the crime is becoming more
                  complex and difficult to track. Security breaches
                  no doubt contribute to some identity theft, but it
                  is unclear how much. Also, while some federal
                  proposals require different notification policies
                  based on the size of the security breach, since
                  stealing identities is labor intensive, a small
                  breach may be just as risky as a very large one.
                  Organizations have not yet formulated notices that
                  communicate security breaches effectively to
                  consumers. The idea that consumers will become
                  inured to notices and ignore warnings is a
                  familiar refrain, but even if some customers
                  ignore notices, apathy among some does not justify
                  abrogating the rights of all to receive notices of
                  security breaches. Furthermore, this problem
                  suggests a remedy of creating better notices,
                  rather than providing none at all. This study
                  surveys the literature on changes in the
                  information security world and significantly
                  expands upon it with qualitative data from seven
                  in-depth discussions with information security
                  officers. These interviews focused on the most
                  important factors driving security investment at
                  their organizations and how security breach
                  notification laws fit into that list. Often
                  missing from the debate is that, regardless of the
                  risk of identity theft and alleged consumer apathy
                  towards notices, the simple fact of having to
                  publicly notify causes organizations to implement
                  stronger security standards that protect personal
                  information. The interviews showed that security
                  breaches drive information exchange among security
                  professionals, causing them to engage in
                  discussions about information security issues that
                  may arise at their and others’ organizations.
                  For example, we found that some CSOs summarize
                  news reports from breaches at other organizations
                  and circulate them to staff with "lessons learned"
                  from each incident. In some cases, organizations
                  have a "that could have been us" moment, and patch
                  systems with similar vulnerabilities to the entity
                  that had a breach. Breach notification laws have
                  significantly contributed to heightened awareness
                  of the importance of information security
                  throughout all levels of a business organization
                  and to development of a level of cooperation among
                  different departments within an organization that
                  resulted from the need to monitor data access for
                  the purposes of detecting, investigating, and
                  reporting breaches. CSOs reported that breach
                  notification duties empowered them to implement
                  new access controls, auditing measures, and
                  encryption. Aside from the organization’s own
                  efforts at complying with notification laws,
                  reports of breaches at other organizations help
                  information officers maintain that sense of
                  awareness. Though security breach notification
                  laws rarely top the list of security
                  professionals' priorities, organizations keenly
                  understand that reputational harm may result from
                  a breach. This has profound consequences in the
                  enterprise. Security breach notification duties
                  lead to more awareness and attention across
                  different levels of management and, in some cases,
                  they have led to specific security measures taken
                  in response to this threat. All the organizations
                  interviewed noted concerns that a public
                  notification of a breach would damage their
                  organization’s reputation and the trust behind
                  their name. Almost all the information officers
                  interviewed have at least implemented an incident
                  response plan that formalized the procedures
                  departments would follow to detect and investigate
                  a security breach. In addition, some organizations
                  took specific steps to assess the risk of a
                  security breach, and respond accordingly. Others
                  were satisfied that their security standards were
                  strong enough, and therefore took no further
                  steps. Security of personal data still is not a
                  marketable characteristic for companies that sell
                  directly to consumers, because consumers are
                  unable to adequately gauge security methods when
                  considering the importance of other product
                  features. However, security is slowly gaining
                  ground as a vital business feature for businesses
                  that interact with and handle the sensitive data
                  of other organizations. Organizations that are
                  strengthening their own security mechanisms are
                  increasingly requiring the same of third party
                  vendors. This pressure strips away the reputation
                  shelter from third party data collectors that lack
                  direct interactions with the general public, and
                  pushes towards a more uniform set of security
                  practices. For instance, a data selling company
                  interviewed for this study now allows external
                  entities to audit its systems. Based on the
                  benefits described above, this study proposes
                  establishing a uniform set of notification
                  requirements to maximize information exchange
                  about security breaches: -Establish a uniform
                  standard that requires public notice of all
                  security breaches – to help security
                  professionals track and adapt to incidents at
                  other organizations and to ensure that all
                  affected consumers are being provided with breach
                  notices. -Establish a uniform reporting standard
                  and require notification to a centralized
                  organization in addition to consumers – to make
                  information on breaches publicly available and
                  allow industry professionals to reference breach
                  reports for information on security
                  vulnerabilities. -Clarify and broaden technology
                  safe harbor provisions beyond encryption – to
                  give better guidance to organizations on what
                  types of security mechanisms are sufficient to
                  prevent lost data from being accessible for the
                  purposes of misuse and to incubate research into
                  and adoption of other technologies that
                  effectively render personal information useless if
                  accessed without authorization. -Create a safe
                  harbor period for notifications – to compromise
                  between giving clear instructions on how quickly
                  notifications must be given and providing enough
                  flexibility for organizations to investigate and
                  remedy security breaches. -Collect more
                  information on the type of notification trigger
                  language that should be used.},
        URL = {http://www.truststc.org/pubs/310.html}
    }
    

Posted by Larry Rohrbough on 11 Dec 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.