Update: This blog post has been modified since it was first published. Click here for more details, or scroll to the bottom to see the original text.
A pro-consumer, bipartisan data-breach bill was stripped of most its provisions before its feeble remains were finally passed by an Indiana Senate committee on Tuesday.
This came after two weeks of intensive lobbying by AT&T, Verizon, Microsoft, and LexisNexis, all of which wanted to kill the bill. For the most part, they were successful.
In a blog post last week, I explained how I had worked with my state Rep. Matt Pierce (D-Bloomington) to draft and submit a data-breach bill. The bill fixed a number of major loopholes in the existing laws and borrowed heavily from existing laws in pro-consumer states such as New York, California, and New Hampshire.
It also broke new legal ground and would have made Indiana the first state in the country to require that all data breach reports impacting state residents be put online at the state attorney general's Web site. This is something that the New Hampshire Department of Justice already does, but out of a voluntary effort to help consumers and not due to a legal mandate.
Indiana's existing data-breach statute has a number of major loopholes. The most critical of these is that companies are not required to disclose a data loss/theft incident, as long as the device in question is protected with a password. The law does not require encryption of all confidential user data, but instead lets companies off the hook as long as they employ a Windows log-in password. These passwords do little to protect data, as they can be broken in a matter of seconds using free tools--or an attacker can use a Linux boot CD to read the data directly off the drive.
In a committee meeting Tuesday morning, Republican committee members successfully eviscerated the bill, reducing it to a mere 17 lines of text from the original 72. The Web site report provision and the requirement that companies notify the state attorney general whenever a data breach is discovered were stripped. A section of the bill that created incentives for companies to follow encryption and key management practices "in a manner consistent with the best practices common in the industry" was also removed.
Thankfully, the most important part of the bill (which requires real encryption and not just a Windows log-in password) remains, for now.
It only took six votes to completely gut the bill--as the other five members of the committee failed to show up for the vote. On Tuesday afternoon, I spoke with state Sen. Tim Lanane, one of the two Democrats who voted on the bill.
"I certainly didn't support the amendment," he told me, "but I also heard Rep. Pierce (the author of the bill) say that he preferred to have a bill pass, as opposed to it dying in committee."
Lanane told me that his vote was strategic, as he knew that "the (Republican) chairman was not likely to pass the bill (as originally written). Rep. Pierce knew that too." In the end, he added, it was "better to have something come out of committee rather than nothing."
Lanane told me that it is still possible to have the original pro-consumer provisions added back into the bill once it reaches the full Senate, and later if it comes up in a House/Senate conference committee.
The bill sailed through the House of Representatives a few weeks ago, passing 94-0. Unfortunately, when I drove up to the state capital last week to testify in front of a Senate committee, I discovered that big business was gunning after the bill.
At least 10 lobbyists were waiting at the committee meeting, many having flown in from Washington D.C., and were going to do their best to have the bill eviscerated. The lobbyists represented household names such as AT&T, Microsoft, Verizon, Comcast, and LexisNexis.
The lobbyists claimed that consumers could be easily confused by online breach reports, that such reports could be misused by evil phishers and fraudsters as a way of adding authenticity to their attacks, and finally that the reports could act as an unfair scarlet letter for companies that make mild data-breach mistakes.
The New Hampshire Department of Justice has posted data breach reports to its Web site for over two years. In order to learn more about the site, I recently spoke with Lauren Noether, the bureau chief of the New Hampshire DOJ's Consumer Protection Office. She told me, "I think it's important for the public to know that there are these types of breaches." She added that "any information that helps a consumer to make decisions about with whom they want to do business is helpful."
With regard to the reports, she stated that "we have them online so that anyone--the media, the public--can look at them, just to see what's out there in the world of security problems."
She also noted that the reports have been useful for businesses that have recently suffered a breach. "People have called me and asked do I have a form?" She said that she is able to tell them that "you may want to take a look at the ways that other companies have reported it to us."
Noether told me that that she hasn't heard a single complaint about the Web site and that she hasn't received any information to suggest that criminals were using the site to add credibility to their phishing attacks.
So much for the claims of the lobbyists. It's worth noting, however, that LexisNexis, one of the firms that flew a Washington D.C. lobbyist to Indianapolis to testify against the bill, has three different data breaches from 2007 listed on the New Hampshire DOJ site. Perhaps the company should spend more resources on protecting its customers' data, and less on lobbying?
Update: The text below was deleted from the post on February 18th. More details on its removal can be seen here. The original text has now been put back.
AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).
I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.
Update 2: When I wrote that original blog post back in February, detailing which members of the committee had received donations from AT&T, I neglected to do a bit of research. My efforts had been focused on just the members of the Senate Committee. I completely forgot to look up the donation history of Senator Brandt Hershman, the Republican Majority Whip, Senate "sponsor" of HB 1197, and the author of the amendment that stripped away 3/4 of the provisions in the original bill.
It turns out that while the senators on the committee each received $2000 from AT&T over the past few years, Senator Hershman has received even more love from Ma' Bell. He received $4000 from AT&T in 2004, and another $2500 in 2006 -- AT&T was his top contributor that year.
Again, just as with the other senators, I'm in no way claiming that Senator Hershman's actions were motivated by the big fat checks he received from AT&T. I am sure that he amended the bill to strip out the parts hated by lobbyists only after carefully considering the issues, and coming to the conclusion that Indiana consumers do not need an easy way to find out about companies that lose their personal data.
In a direct slap in the face to consumers, tech industry giants including Microsoft, AT&T, and Verizon are frantically engaged in an effort to kill pro-consumer provisions in a data breach notification bill currently being considered by the Indiana State Senate.
AT&T: consumers should be kept in the dark--oh, and we kick puppies too.
(Credit: The Electronic Frontier Foundation)The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to to require the attorney general to post a copy of each report to its Web site--so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.
At a State Senate committee meeting this morning, lobbyist after lobbyist criticized the provision. They claimed that by putting a list of breach notification reports online, the AG's office would provide phishers and other online fraudsters with ammunition with which to engage in phishing attacks. A lobbyist for Microsoft argued that phishing emails would be sent out to consumers, including a link to a real breach report on the AG's site, and then include a link to a fake website where consumers wishing to protect themselves from fraud would be tricked into inputting their personal information.
The state of New Hampshire already posts copies online of all breaches reported to its Department of Justice. The state has done this for the past year, yet in hours of searching, I've been unable to find a single phishing site or email that has referenced a breach report on the New Hampshire site. While New Hampshire regularly posts these reports, it is not required to by law, and only does so because someone in the attorney general's office is forward thinking and pro-consumer.
In addition to the New Hampshire site, both the Privacy Rights Clearinghouse and Attrition.org collect and publish data breach reports online. Attrition.org is even nice enough to provide an RSS feed of the latest breach reports, perfect for interested parties, or computer geeks wanting to create a mashup.
I spoke with Paul Stephens of the Privacy Rights Clearinghouse this afternoon to get his thoughts on the attempt by lobbyists to kill Indiana's breach Web site bill. When asked if PRC's site or reports located on it had been used by phishers, he dismissed the lobbyists' claims, and stated that "we have not heard of anything of that nature. All of the information on our site is otherwise available elsewhere, we are just creating a handy compilation of information." He added that "virtually every security breach already gets reported by the media."
Representative Matt Pierce
(Credit: Indiana House of Representatives)In addition to the breach Web site requirement, the bill, also fixes a number of loopholes in the current breach notification law. The law, as currently written, exempts companies from having to notify consumers if a laptop containing customer data is stolen, as long as the laptop has a login password. This is extremely problematic, as a login password does nothing to protect the data if the hard disk is taken out of the computer. The proposed bill fixes this loophole, and requires instead that companies wishing to avoid breach notification use strong data encryption with an undisclosed key. As the law currently stands, an employee can have her Windows login password written on a post-it note stuck to her laptop, and yet the company will not be required to notify consumers.
The proposed data breach notification bill was written by my local state representative, Matt Pierce, after I contacted him back in mid-2007. I voiced my concern about flaws in the existing law after I discovered, and publicized an undisclosed 2006 data breach incident at Indiana University. Representative Pierce asked me to come up with a list of changes that I would like proposed, and asked me to try and find states that already had similar provisions on the books.
It took several months to hammer things out--and it took the help of Indiana University privacy law Professor Fred Cate who acted as the voice of moderation and wisdom, but eventually, Representative Pierce submitted a bill in January that included most of the changes that I requested. The bill sailed through the State House of Representatives a couple weeks ago, passing 94-0. It is only now that it has come up for consideration in the Senate that the industry lobbyists have decided to try and sabotage one of the most pro-consumer parts of the legislation.
I drove up to Indianapolis this morning, and testified before the Senate committee considering the bill. Apart from Representative Pierce, I was the sole voice calling for the bill's passage, while more than 10 lobbyists took turns at denouncing the bill as a gift to phishers and fraudsters.
While the encryption parts of the bill may end up passing, I suspect that the lobbyists may get their way, and kill the breach notification website requirement in the bill.
No matter what happens, this has been a fantastic experience for me, and a chance to see democracy in action (including the sordid world of lobbyists). A bill that I asked for and helped to draft passed through the house 94-0. I got to testify before a Senate committee, and with any luck, some of the loopholes in the existing law that I identified may be closed.
Anyone wishing to help to save the pro-consumer AG Web site notification parts of the bill (HB 1197) may want to try and call up the state senators on the Indiana Senate Committee on Corrections, Criminal, and Civil Matters. All can be reached by calling the Senate switchboard at (317) 232-9400.
These are:
- Senator Brent Steele,
- Senator R. Michael Young,
- Senator Jeff Drozda
- Senator Brent Waltz
- Senator John M. Waterman
- Senator Richard D. Bray
- Senator Joe Zakas
- Senator Karen Tallian
- Senator Tim Lanane
- Senator Jim Arnold
- Senator Glenn Howard
On the surface, it looks like we actually made some improvements in protecting private data in 2007. According to the Privacy Rights Clearinghouse, the number of publicly disclosed data breaches actually decreased, from 346 incidents in 2006 to 310 in 2007. Unfortunately, there are still more clouds than sunshine. In 2007, the 310 data breach incidents resulted in a total of 162 million records exposed, more than three times as many as in 2006 (when there were about 50 million).
Here's another frightening data point: Five of the 10 biggest data breaches occurred in 2007, including the record setter. Massachusetts-based TJX now holds the dubious honor for the largest data breach of all time--a whopping 94 million records were exposed!
As we fade into the twilight of the first decade of the 21st century, information security progress continues to move one step forward and then two steps back. The worst news of all is that this isn't a technology issue. It really comes down to negligence, ignorance, poor processes, and general laziness. To paraphrase security guru Bruce Schneier, "People remain the weakest link in the security chain."
I am an internal optimist by nature, but I continue to believe that the state of information security is far worse than the general public knows. I don't expect much improvement with data breaches in 2008 and wouldn't be at all surprised to see another doozy. With the way things are, the TJX incident could look like a sophomoric hack by year's end.
(Credit:
TJX)
Editors' note: This blog initially misstated the number of years of credit monitoring that TJX is offering in the proposed settlement. It is offering three years, or two additional years if the customer is already signed up for a credit monitoring service.
The TJX Companies announced on Friday a yet-to-be-finalized settlement for several class action suits resulting from various data breaches over the last few years.
TJX, which operates such discount retail chains as T.J. Maxx and Marshalls in the U.S. and Winners and HomeSense stores in Canada, is offering claimants three years of credit monitoring (or two additional years if the customer already has a credit monitoring service), credit insurance for up to $20,000 in losses, and the cost of replacing driver's licenses. A second group will receive one or two $30 vouchers good at any TJX-owned store.
Additionally, all T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and all Winners and HomeSense stores in Canada will hold a three-day customer appreciation sale sometime in 2008 in which merchandise will be reduced by 15 percent.
In a press release (PDF) associated with the settlement announcement, Carol Meyrowitz, chief executive of the TJX Companies, said, "We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system."
In March, TJX said that up to 45.7 million customers may have had their credit information compromised. It is believed to be the largest data security breach ever.
Recently, Neal Krawetz of Hacker Factor released a report (PDF) citing various vulnerabilities in how large retail chains, including TJX, collect and store customer credit card information. You can read more about Krawetz's findings here or hear a podcast interview with him here.
Sometimes it feels like every day, there's word of another incident involving lost, hacked or pilfered personal data stores--and dire warnings about the potential consequences.
But according to a report just released by the Government Accountability Office (PDF), only a small fraction of those recent episodes have actually resulted in clear signs of identity theft.
After scrutinizing the 24 largest data breaches that got media attention between January 2000 and June 2005, the GAO found that only three of the incidents indicated fraud on existing accounts. One pointed to evidence that new accounts had been created based on the leaked information.
Those breaches included break-ins at third-party credit card payment processor CardSystems, shoe retailer DSW and e-commerce retailer CD Universe.
That leaves 18 incidents that signaled no evidence of identity theft and two incidents on which there wasn't enough information for the government auditors to decide.
But that's not to say there weren't a lot of break-ins. All told, the GAO found media reports of more than 570 data breaches--across a wide variety of public and private entities--in the media between January 2005 and December 2006 alone.
The GAO acknowledged that its research is not definitive. "Determining the link between data breaches and identity theft is challenging because, among other things, identity theft victims often do not know how their personal information was obtained," the auditors wrote.
The report, which was prepared for a congressional committee, also took a cautious stance on the idea of legally requiring stewards of personal data to notify anyone whose information may have been compromised in a security breach. Although the government auditors didn't make any formal recommendations to Congress, they said it's necessary to balance the need to alert consumers and to foster better security practices with the potentially high costs and consumer complacency that could accompany overly zealous notification.
Thirty-six states already have notification laws of some sort on their books, according to the GAO. Despite lots of talk, Congress hasn't taken much action on its own yet, and it's unclear whether this year will be any different.
The Connecticut attorney general has launched an investigation into the compromise of up to 17,000 of Pfizer employees, including some 300 employees within his home state. Pfizer would not comment on when the breach occurred other than to say it involved a Pfizer employee who had taken the data home on a laptop, a machine that subsequently became compromised. The data, including the employees' name, home address, bonus information, and Social Security number, was surreptitiously uploaded and later appeared on an Internet site. Pfizer did not know how much of that information had been copied or used by others.
The company has offered the affected employees $25,000 in insurance to cover any costs resulting from the breach. Employees were asked to respond within 90 days. In a letter dated June 6, Attorney General Richard Blumenthal asked the pharmaceutical company to also freeze the affected employees' credit ratings and pay any fees associated.
Internal leaks of sensitive data are an emerging problem for enterprises. "Although the lost laptop appears to be the trend that people focus on," said Devin Redmond, director of the security product group at Websense, "the trend is more that (personal data) goes out over the Web." Redmond said that spyware and malware tend to be targeted to a specific organization, even specific file types. The potential attacker includes competing companies or organized crime.
Redmond said companies should discover where their assets are and then implement IT policies to protect them. For employee-issued laptops, this may include restricting or filtering Web sites that may be visited with that machine. As for employees wanting to take files home on a flash drive, ports and burners on the office desktop can be prevented from copying sensitive documents.
- prev
- 1
- next
