Global consensus on data breach legislation is still evolving, but fear of brand damage is pushing reform, reports James Hale.
The Information Age introduced two universal truths: Data is a commodity, and as such, is prone to attack for either profit or other purpose. Beyond that, nothing is a given.
How data is treated, and what happens when its security is breached varies widely, depending on whether the breach occurs in Boston or Berlin, Oregon or Ontario. Data breach notification legislation has evolved in isolation and no two jurisdictions have taken exactly the same approach. Some countries – most notably Australia – lack mandatory notification laws altogether. As a result, doing business with foreign entities requires negotiating a patchwork quilt of legislation, and being a consumer whose personal information has been compromised means being treated differently, depending on which side of the divide you reside.
Newly enacted legislation in California – where Senate Bill 46 became law on Jan. 1 – and a proposed directive by the European Parliament promise increased clarity and consumer protection. In California, the definition of personal information has been expanded to include “a username or email address, in combination with a password or security question and answer that would permit access to an online account.” The EU reforms – the first since 1995 – will impose 24-hour breach notification across all 28 member countries and steeply increase fines for breaking the rules.
As forward looking as these new laws are, the evolution of policy continues to lag behind technology. Some observers believe that will likely continue to be the case for the foreseeable future.
Jack Daniel, technical product manager, Tenable Network Security
Rhiannon Davies, associate, DAC Beachcroft
Michelle Dennedy, chief privacy officer, McAfee, An Intel Company
Patrick Hill, lawyer, DAC Beachcroft
Marc Vael, international VP, ISACA; head of internal audit, Smals
“It takes time to legislate change,” says London-based lawyer Patrick Hill, whose international law firm, DAC Beachcroft, published an extensive guide to data breach laws around the world. “Perhaps we will get smarter, but I suspect that policy will always be reactive.”
In fact, says Marc Vael, international vice president of ISACA, the nonprofit advocacy organization for professionals in information security, assurance, risk management and governance, and head of internal audit for Smals, a Brussels-based information technology and services firm, the burst of legislative activity in both the EU and California is likely a result of the growth of social media and resultant consumer demand. “The commercialization of social technologies has been a game changer in breach notification,” Vael says. “There is a global consensus that people have the right to know about what is happening to their data and a perception that data is being abused.”
Other experts agree. “Big Data is like teenage sex,” says Michelle Dennedy, chief privacy officer of Santa Clara, Calif.-based McAfee, An Intel Company. “Everyone is talking about it, but anyone actually doing it is probably doing it badly.”
Her view is that legislators and policy-makers are well meaning when it comes to consumer protection, but the follow through is lacking.
“Privacy polls very well during election years,” she says, “and it is logical that the result would be one consistent law, but no. What happens is that legislators all go in different directions.”
Where those legislators go may address consumer concerns, but observers say that the EU response – which must proceed through council discussion before its scheduled adoption in May – is an example of how they often fail to take into account the realities of data collection, storage and use.
Jack Daniel, technical product manager for Tenable Network Security based in Columbia, Md., points to the proposed 24-hour limit on disclosing data breaches as an example of how policy-makers fail to consider technical limitations.
“Twenty-four hours is a very short window,” he says. “There is a huge opportunity there for getting it wrong in terms of the scope of a breach. Overnight, an organization might think that 40,000 accounts have been affected, when in fact that number is much smaller, and if you get it wrong you look like you are lying.” Governments, he adds, would like users to log everything, but have no idea what that actually means. One of the first things he says he learned in network security is that there are always things on networks that are unknowable.
As well, many companies that manage large quantities of data, and most small- to mid-sized organizations, do not have the technology required to provide extensive, consistent network oversight, Daniel says.
ISACA's Vael (right) also warns that consumers should take only cold comfort from the EU's proposed notification limits. “The 24-hour limit definitely raises questions,” he says. “It remains unclear what action is to follow and just who gets notified.”
He notes that Belgium, Germany and Italy have tougher regulations already in place, but says the nationalistic and political factions within the 28 individual members of the union have influenced the shape of the directive, which will not be open to interpretation by EU members once the EU Parliament has adopted it.
“There was a lot of campaigning to align the policy with the laws in place in Germany and the UK,” says Rhiannon Davies, an associate also at DAC Beachcroft, “but the pressure was on to finalize the directive this year so it could be in place by 2016.”
Even though he says there is a lack of unanimity on the EU policy, Vael sees the draft having a ripple effect in other parts of the world. DAC Beachcroft's Hill agrees, noting that countries in the Far East have expressed interest in how the EU is proceeding. Without a single international body to oversee policy standards – along the lines of the way the International Telecommunications Union guides information and communications technology policy – how is informed agreement on the best way forward possible? And what is the best course to follow?
McAfee's Dennedy (left) makes the case that California's Senate Bill 1386, enacted in 2003 and seen in some corners as the world's first significant data breach notification law, remains the gold standard.
“It was the first law with teeth,” she says, “and if you look at 1386's two primary tenets, you see the essence of what is needed: As an organization that manages data, you are accountable to the consumer; and you can be blamed and shamed if you mess up.”
She says the real “magic” in the 2003 legislation was the concept of a safe harbor for data. “That was massively important.”
In a perfect world, she says, legislation in all jurisdictions would have been modeled on that foundation.
Daniel has his own list for what the ideal breach notification legislation should include. “First, you have to determine – as they have in California – what constitutes a data record you should be concerned about. Is it username, password and security question, or some other combination?”
The second element is a clear definition of whose data must be protected and what size of breach will trigger a notification. “That has to be rational,” he says. “Maybe it is a loss of 100 records, maybe it's more, but it can't apply to every single loss if you want to be taken seriously.”
Finally, he says, guidelines have to be spelled out clearly and simply – a concept Dennedy applauds. She says McAfee has published privacy statements as the equivalent of graphic novels, and is exploring the concept of expressing them with music, as well.
Plus, she extends that radical approach to re-thinking how organizations approach issues of security to corporate labs, too. “We need engineers who know what privacy is, for starters,” she emphasizes. “They're good people, but we need a way to get them back to basic standards and build privacy in. My mantra is, ‘Know thy data.' If you start from that point and come in with smart questions, I think we can get it right.”
There is consensus that understanding privacy basics and making data protection a corporate priority, rather than simply assigning it as an IT task, are critical steps.
“It has become a boardroom issue now,” says Hill. “Awareness has increased and insurance companies now have products to address data loss.”
Pointing to the success that the PCI Security Standards Council has had at increasing awareness of compliance in the C-suites of organizations that accept credit cards, Daniel says that breach disclosure has to become an integral part of every organization's risk and response strategy.
There is also agreement on increasing consumer understanding of data breaches and privacy. “We are not doing a good job of teaching these kinds of concepts at school,” says Dennedy. “People are getting burnt out on news about data breaches, and what doesn't come out is what consumers should do about it.”
Looking at the pending EU legislation and what it means across the expanse of Europe, Vael is optimistic about the future. Over and above what happens in world legislatures or in the boardrooms of state regulators, he says there is a clear trend toward consumer action. “Companies that abuse data will be exposed,” he says. “In today's world, brand damage can happen very fast and consumers will react. They will determine what information they want to share with organizations they do business with. Peer pressure will be more effective than any national or international directive can be.”