Tag Archives: breach notification

California Amends Its Data Breach Law

You might think this is obvious, but just in case it is not, California wants to make this clear.  It used to be, in California, that if you had sensitive data encrypted and that data was stolen, you didn’t have to tell people because, after all, it was encrypted.

But there is a rub with that.  In most cases, when an authorized user accesses the data, that user does not have to enter the decryption key, right?  So where is the key?  In some cases, the key is hard coded into the program.  In other cases, the key is in a configuration file and in a relatively small number of cases, the key is stored in a device called a hardware security module or HSM.  But HSMs are expensive and add a degree of complexity, so most companies don’t use one.  Amazon and some other cloud services support HSMs, but you have to pay extra for them.

So what this means is that a lot of the time, when a hacker breaks into a system and the data is encrypted, the decryption key is right there for the hacker to take as well.  That is why sometimes you hear about a breach and they say “even if the data was encrypted it would not have solved the problem”.

So here is what CA AB 2828 says.

  1. If a system is breached and
  2. Encrypted personal information was or was reasonably be believed to have been taken and
  3. The encryption key or other decryption credentials was or was believed to have been taken and
  4. There is a reasonable belief that the encryption key or other credentials could make that data readable

Then you are required to make a breach notification.

This law goes into effect January 1, 2017.

Once this law goes into effect, even if the data is encrypted, you will need to be able to show, in case of a breach, that the hacker did not access the decryption keys.  This may require additional logging or auditing and you have to save that audit trail so that you can use it years later in case of a lawsuit.  Your operations team will likely need to make changes in order to do this.

Remember that with state breach notification laws, it matters where the person who’s data was breached lives, not where your office is, so if you are in Colorado but you have customers in California, California may come after you in the case of a breach.

Whether you are worried about the California law or not (and some other states have breach laws that require notification whether the data is encrypted or not), now would be a good time to consider whether your encryption will stop a hacker who breaks into your system from reading your data.  Dealing with a breach is expensive, hurts your reputation and may cost you customers.  Avoiding a reportable breach just makes good business sense, independent of the law.

Information for this post came from National Law Review.


To disclose or not to disclose

In an August 12, 2014 post on Pymnts.com, the information security executive at Urban Outfitters, Dawn-Marie Hutchinson, argued against disclosure of breaches.  In fact, the company’s policy is to notify their lawyers first so that they can use attorney-client privilege.

While I sort of understand the concept of not disclosing things too soon (like before you have any facts, for example), I have also seen companies not disclose breaches for 6 months or more.

I will argue that if customers find out that you have had a breach and decided not to tell them – without respect to whether that is even legal in many states – I can guarantee that you will tick off more people than if they find out from you in a timely and responsible fashion.  Social media will go crazy once it does get out – it always does.  Guaranteed.

For many years – prior to CA SB 1386, the grandfather of all breach laws – companies were not required to disclose and for sure, security was much better then — NOT!.

So what is the argument for not disclosing or not disclosing early?  Customers will beat us up.  Right!  What’s your point.  If you insist as a business to keep a lot of customer information and not protect it well, then you should get beat up.  The answer to that is to communicate.  Do it at the appropriate time.  Take responsibility.  Explain things.  Have people understand the world is not going to end.  And yes, you will likely take a short term hit.

Security is a business (financial) decision just like everything else a company does.  It has to be weighed against all the other needs that those dollars can also be spent on.  However, the pre-CA SB-1386 was  not more secure than the post-CA SB-1386.  In fact, most companies are paying way more attention now than they ever have.  It’s a VERY hard problem.  The hackers only have to be right (get in) one time.  The company has to be right (keep the hackers out) every time.  I have been doing this for a long time – it is not easy or simple.

Now maybe what Ms. Hutchinson was suggesting was that your first call after finding out about a possible breach should NOT be to the NY Times or Wall Street Journal.  If so, then I agree with her.    Responsible disclosure means just that.  Responsible.  You have to have some facts in order to be responsible.

Does that mean 1 day?  1 week?  1 Month.  Probably one of those.  It does not mean silence, however.

Mitch Tanenbaum

Update:  Here is another article on the issue.