This story appeared on Network World at

http://www.networkworld.com/columnists/2006/081406bradner.html

Congress fails to grasp security risk

'Net Insider

By Scott Bradner, Network World, 08/14/06

It's now almost a year and a half since the ChoicePoint debacle, in which Social Security numbers and other personal information about 145,000 people was "improperly accessed" (to use ChoicePoint's description), and data about tens of millions of others was put at risk. The resulting publicity was instrumental in identity theft-related laws being passed in almost three dozen states - but not, as of yet, by Congress. Given some of the bills under consideration, it might be better for you and me if Congress continues not to act.

The security breach at ChoicePoint was not the first such incident and certainly not the last. The Privacy Rights Clearinghouse maintains a list of the steady drumbeat of breaches reported since the ChoicePoint one. The list - 250-plus breaches of various types as of this writing - is not fun reading: far too many thefts of laptops with far too little encryption; far too many hacks of servers and missing, unencrypted backup tapes - and most troubling, far too many cases where people were keeping Social Security numbers because they could, not because they needed to.

The reason we know about most of these breaches is not because the organizations breached wanted to do the right thing but because of a 4-year-old California law mandating notification if people's financial information might have been compromised. Specifically, in the words of the law, someone holding data must provide notification "to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Note the breach triggers the disclosure requirement, not the expectation the breach might produce a risk to the individual whose data was compromised.

The ChoicePoint case came to light when the company got around to notifying California residents of the breach. There is no reason to believe ChoicePoint would have told anyone without the notification law, because the company did not do so after a breach that occurred before that law went into effect. Companies are often reluctant to disclose breaches, because it can cost a lot of money. For example, ChoicePoint has settled with the Federal Trade Commission for $15 million, on top of whatever the incident cost ChoicePoint in direct expenses. The total number of people put at risk by the breaches in the Privacy Rights Clearinghouse list is a bit more than 90 million. To put this into context, according to published reports, as many as 9 million U.S. residents have suffered some form of identity theft. Congress has held a number of hearings since ChoicePoint's revelations and has been considering a number of bills that ostensibly would help reduce that threat. All the bills have one thing in common: They would preempt state laws in favor of a consistent national policy. Most of the bills, however, look like they were written by lobbyists working for the likes of ChoicePoint.

For example, a bill - the Financial Data Protection Act of 2005 (H.R. 3997) - being considered by the House of Representatives would let the breached company decide whether it should notify customers of a breach; the company would need to notify customers only if it felt the data was going to be misused to cause them financial harm, not under any other conditions. Under this proposal, we will hear less about companies that are sloppy with data. With friends like these in Congress, it might be better to let them continue to fail to deal with the issue and keep the state laws in effect.

Disclaimer: Harvard tries not to teach people to fail, but in some cases it might be a good idea. If so, it's my idea, not Harvard's.