Surveillance State

With a stroke of the Governor's pen on Monday, Indiana became one of the few states in the country to provide strong incentives for businesses to encrypt sensitive customer data. Unlike many of the laws that pass through state legislatures - this one was not ghost written by lobbyists or special interests. It was co-written by a tech-savvy state legislator, and a blogger constituent .... me.

One of the biggest problems in the hundreds of data breach and data loss incidents that have been reported over the past few years is that so little of the data is encrypted. If a laptop containing sensitive medical information is stolen, the thief merely needs to turn it on to read through a goldmine of personal data.

Some government agencies have taken action following particularly heinous incidents. After the state of Ohio lost backup tapes containing 160,000 social security numbers that were kept in a summer intern's car, the state purchased McAfee disk encryption software for every state employee. Likewise, after the hugely embarrassing data loss incident at the Department of Veterans Affairs in 2006, the Bush Administration issued new standards mandating encryption for all federal agencies.

Laptop password loophole

Indiana passed a data breach reporting law in 2006. However, the law had a number of problems. The biggest of these involved laptop passwords.

Many state data breach laws are written in a way to incentivize businesses into protecting their customer data. It would be exceedingly difficult to pass a law forcing all businesses to encrypt their data, and so states opt for the carrot and the stick.

Businesses are given a choice: If you protect your customers' data, and you lose a laptop containing sensitive information, you won't have to spend the money and suffer the reputation hit by telling the public. That is, as long as you've protected the data sufficiently.

Indiana's law created this incentive by narrowly defining a data breach incident. The giant loophole in the law stated that businesses would not have to report an:

"Unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed."

As a computer security researcher, the problems in this sentence immediately jumped out at me. A password doesn't mean encryption, it merely means a password. Windows login passwords would satisfy the law, even if they did nothing to protect the data on the disk. An attacker could start up the device with a recovery CD, or use one of many software tools to break the Windows password -- which will take just a few seconds to do.

Changing the law

In mid 2007, I contacted my State Representative Matt Pierce and asked him to look into fixing the law. He liked the idea, and asked me to compile a list of the problems in the existing rules and suggested fixes.

In January 2008, Representative Pierce submitted a bill to committee that fixed the data encryption flaw, as well as requiring the attorney general of the state to post a copy of every data breach incident impacting 1 or more Indiana residents to an official website.

The bill passed through committee, and then passed unanimously through the Democratically controlled House, 94-0. Unfortunately, once the bill arrived in the state Senate, it had attracted the attention of lobbyists - some of whom flew in from Washington DC specifically to oppose the website reporting provision in the bill. The experience was eye-opening, and gave me a rapid education in the influence of money in politics. Sadly, the lobbyists from AT&T, Microsoft, and Lexis Nexis got their way.

In the end, the Republican controlled Senate stripped out a number of portions of the proposed law. The bill that came out of the Senate, which included the laptop encryption fix, passed unanimously 46-0.

Finally, on Monday the 25th of March, Governor Mitch Daniels signed the bill into law.

As of July 1 2008, Indiana's data breach law law will be amended, such that a companies will not have to report the:

"Unauthorized acquisition of a portable electronic device on which personal information is stored, if all personal information on the device is protected by encryption and the encryption key:

(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device."

I am confident that Indiana's new law will provide an extremely strong incentive to businesses in the state. Either, they can start using encryption to protect customers' data, or when they do lose a laptop, they can pay the financial and reputation costs of having to send out hundreds of thousands of letters to consumers.

No business is being forced to do anything - but the smart ones will most likely start taking additional steps to protect customer data.

All the credit and thanks for this effort should go to Representative Matt Pierce, who fought the good fight, and waged battle against big money lobbyists. While the perfect bill did not pass, the change to the law is positive, and it would not have happened without Pierce's hard work.

Update: This blog post has been modified since it was first published. Click here for more details, or scroll to the bottom to see the original text.

A pro-consumer, bipartisan data-breach bill was stripped of most its provisions before its feeble remains were finally passed by an Indiana Senate committee on Tuesday.

This came after two weeks of intensive lobbying by AT&T, Verizon, Microsoft, and LexisNexis, all of which wanted to kill the bill. For the most part, they were successful.

In a blog post last week, I explained how I had worked with my state Rep. Matt Pierce (D-Bloomington) to draft and submit a data-breach bill. The bill fixed a number of major loopholes in the existing laws and borrowed heavily from existing laws in pro-consumer states such as New York, California, and New Hampshire.

It also broke new legal ground and would have made Indiana the first state in the country to require that all data breach reports impacting state residents be put online at the state attorney general's Web site. This is something that the New Hampshire Department of Justice already does, but out of a voluntary effort to help consumers and not due to a legal mandate.

Indiana's existing data-breach statute has a number of major loopholes. The most critical of these is that companies are not required to disclose a data loss/theft incident, as long as the device in question is protected with a password. The law does not require encryption of all confidential user data, but instead lets companies off the hook as long as they employ a Windows log-in password. These passwords do little to protect data, as they can be broken in a matter of seconds using free tools--or an attacker can use a Linux boot CD to read the data directly off the drive.

In a committee meeting Tuesday morning, Republican committee members successfully eviscerated the bill, reducing it to a mere 17 lines of text from the original 72. The Web site report provision and the requirement that companies notify the state attorney general whenever a data breach is discovered were stripped. A section of the bill that created incentives for companies to follow encryption and key management practices "in a manner consistent with the best practices common in the industry" was also removed.

Thankfully, the most important part of the bill (which requires real encryption and not just a Windows log-in password) remains, for now.

It only took six votes to completely gut the bill--as the other five members of the committee failed to show up for the vote. On Tuesday afternoon, I spoke with state Sen. Tim Lanane, one of the two Democrats who voted on the bill.

"I certainly didn't support the amendment," he told me, "but I also heard Rep. Pierce (the author of the bill) say that he preferred to have a bill pass, as opposed to it dying in committee."

Lanane told me that his vote was strategic, as he knew that "the (Republican) chairman was not likely to pass the bill (as originally written). Rep. Pierce knew that too." In the end, he added, it was "better to have something come out of committee rather than nothing."

Lanane told me that it is still possible to have the original pro-consumer provisions added back into the bill once it reaches the full Senate, and later if it comes up in a House/Senate conference committee.

The bill sailed through the House of Representatives a few weeks ago, passing 94-0. Unfortunately, when I drove up to the state capital last week to testify in front of a Senate committee, I discovered that big business was gunning after the bill.

At least 10 lobbyists were waiting at the committee meeting, many having flown in from Washington D.C., and were going to do their best to have the bill eviscerated. The lobbyists represented household names such as AT&T, Microsoft, Verizon, Comcast, and LexisNexis.

The lobbyists claimed that consumers could be easily confused by online breach reports, that such reports could be misused by evil phishers and fraudsters as a way of adding authenticity to their attacks, and finally that the reports could act as an unfair scarlet letter for companies that make mild data-breach mistakes.

The New Hampshire Department of Justice has posted data breach reports to its Web site for over two years. In order to learn more about the site, I recently spoke with Lauren Noether, the bureau chief of the New Hampshire DOJ's Consumer Protection Office. She told me, "I think it's important for the public to know that there are these types of breaches." She added that "any information that helps a consumer to make decisions about with whom they want to do business is helpful."

With regard to the reports, she stated that "we have them online so that anyone--the media, the public--can look at them, just to see what's out there in the world of security problems."

She also noted that the reports have been useful for businesses that have recently suffered a breach. "People have called me and asked do I have a form?" She said that she is able to tell them that "you may want to take a look at the ways that other companies have reported it to us."

Noether told me that that she hasn't heard a single complaint about the Web site and that she hasn't received any information to suggest that criminals were using the site to add credibility to their phishing attacks.

So much for the claims of the lobbyists. It's worth noting, however, that LexisNexis, one of the firms that flew a Washington D.C. lobbyist to Indianapolis to testify against the bill, has three different data breaches from 2007 listed on the New Hampshire DOJ site. Perhaps the company should spend more resources on protecting its customers' data, and less on lobbying?

Update: The text below was deleted from the post on February 18th. More details on its removal can be seen here. The original text has now been put back.

AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).

I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.

Update 2: When I wrote that original blog post back in February, detailing which members of the committee had received donations from AT&T, I neglected to do a bit of research. My efforts had been focused on just the members of the Senate Committee. I completely forgot to look up the donation history of Senator Brandt Hershman, the Republican Majority Whip, Senate "sponsor" of HB 1197, and the author of the amendment that stripped away 3/4 of the provisions in the original bill.

It turns out that while the senators on the committee each received $2000 from AT&T over the past few years, Senator Hershman has received even more love from Ma' Bell. He received $4000 from AT&T in 2004, and another $2500 in 2006 -- AT&T was his top contributor that year.

Again, just as with the other senators, I'm in no way claiming that Senator Hershman's actions were motivated by the big fat checks he received from AT&T. I am sure that he amended the bill to strip out the parts hated by lobbyists only after carefully considering the issues, and coming to the conclusion that Indiana consumers do not need an easy way to find out about companies that lose their personal data.

In a direct slap in the face to consumers, tech industry giants including Microsoft, AT&T, and Verizon are frantically engaged in an effort to kill pro-consumer provisions in a data breach notification bill currently being considered by the Indiana State Senate.

AT&T: consumers should be kept in the dark--oh, and we kick puppies too.

(Credit: The Electronic Frontier Foundation)

The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to to require the attorney general to post a copy of each report to its Web site--so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.

At a State Senate committee meeting this morning, lobbyist after lobbyist criticized the provision. They claimed that by putting a list of breach notification reports online, the AG's office would provide phishers and other online fraudsters with ammunition with which to engage in phishing attacks. A lobbyist for Microsoft argued that phishing emails would be sent out to consumers, including a link to a real breach report on the AG's site, and then include a link to a fake website where consumers wishing to protect themselves from fraud would be tricked into inputting their personal information.

The state of New Hampshire already posts copies online of all breaches reported to its Department of Justice. The state has done this for the past year, yet in hours of searching, I've been unable to find a single phishing site or email that has referenced a breach report on the New Hampshire site. While New Hampshire regularly posts these reports, it is not required to by law, and only does so because someone in the attorney general's office is forward thinking and pro-consumer.

In addition to the New Hampshire site, both the Privacy Rights Clearinghouse and Attrition.org collect and publish data breach reports online. Attrition.org is even nice enough to provide an RSS feed of the latest breach reports, perfect for interested parties, or computer geeks wanting to create a mashup.

I spoke with Paul Stephens of the Privacy Rights Clearinghouse this afternoon to get his thoughts on the attempt by lobbyists to kill Indiana's breach Web site bill. When asked if PRC's site or reports located on it had been used by phishers, he dismissed the lobbyists' claims, and stated that "we have not heard of anything of that nature. All of the information on our site is otherwise available elsewhere, we are just creating a handy compilation of information." He added that "virtually every security breach already gets reported by the media."

Representative Matt Pierce

(Credit: Indiana House of Representatives)

In addition to the breach Web site requirement, the bill, also fixes a number of loopholes in the current breach notification law. The law, as currently written, exempts companies from having to notify consumers if a laptop containing customer data is stolen, as long as the laptop has a login password. This is extremely problematic, as a login password does nothing to protect the data if the hard disk is taken out of the computer. The proposed bill fixes this loophole, and requires instead that companies wishing to avoid breach notification use strong data encryption with an undisclosed key. As the law currently stands, an employee can have her Windows login password written on a post-it note stuck to her laptop, and yet the company will not be required to notify consumers.

The proposed data breach notification bill was written by my local state representative, Matt Pierce, after I contacted him back in mid-2007. I voiced my concern about flaws in the existing law after I discovered, and publicized an undisclosed 2006 data breach incident at Indiana University. Representative Pierce asked me to come up with a list of changes that I would like proposed, and asked me to try and find states that already had similar provisions on the books.

It took several months to hammer things out--and it took the help of Indiana University privacy law Professor Fred Cate who acted as the voice of moderation and wisdom, but eventually, Representative Pierce submitted a bill in January that included most of the changes that I requested. The bill sailed through the State House of Representatives a couple weeks ago, passing 94-0. It is only now that it has come up for consideration in the Senate that the industry lobbyists have decided to try and sabotage one of the most pro-consumer parts of the legislation.

I drove up to Indianapolis this morning, and testified before the Senate committee considering the bill. Apart from Representative Pierce, I was the sole voice calling for the bill's passage, while more than 10 lobbyists took turns at denouncing the bill as a gift to phishers and fraudsters.

While the encryption parts of the bill may end up passing, I suspect that the lobbyists may get their way, and kill the breach notification website requirement in the bill.

No matter what happens, this has been a fantastic experience for me, and a chance to see democracy in action (including the sordid world of lobbyists). A bill that I asked for and helped to draft passed through the house 94-0. I got to testify before a Senate committee, and with any luck, some of the loopholes in the existing law that I identified may be closed.

Anyone wishing to help to save the pro-consumer AG Web site notification parts of the bill (HB 1197) may want to try and call up the state senators on the Indiana Senate Committee on Corrections, Criminal, and Civil Matters. All can be reached by calling the Senate switchboard at (317) 232-9400.

These are:

• Senator Brent Steele,
• Senator R. Michael Young,
• Senator Jeff Drozda
• Senator Brent Waltz
• Senator John M. Waterman
• Senator Richard D. Bray
• Senator Joe Zakas
• Senator Karen Tallian
• Senator Tim Lanane
• Senator Jim Arnold
• Senator Glenn Howard