"The continued loss of unique data, which should never be used for simple authentication purposes, threatens to erode confidence in the ecommerce system. As the realization dawns that not only
are users not adequately protected by corporate security systems, but they are also at increasing risk of serious identity theft, there is the potential for backlash. Ecommerce enterprises that recognize
the need to minimize the amount of truly unique personal data being held, and that work to improve the methods by which they authenticate users, could be in a position of advantage. Regardless, it is
inevitable that enterprises wishing to continue to do business online will eventually be forced to change the way they enroll users to their services and subsequently authenticate them."
"In this Opinion, the Article 29 Working Party provides guidance to controllers in order to help them to decide whether to notify data subjects in case of a “personal data breach”. Although
this opinion considers the existing obligation of providers of electronic communications regarding Directive 2002/58/EC, it provides examples from multiple sectors, in the context of the draft data
protection regulation, and presents good practices for all controllers."
"In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services
can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in
"Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice. The following bills have been
introduced over the last year: Data Security and Breach Notification Act, Toomey (R-PA); Personal Data Privacy and Security Act, Leahy (D-VT); Data Security Act, Carper (D-DE) and Blunt (R-MO); Data
Security and Breach Notification Act, Rockefeller (D-WV); and Personal Data Protection and Breach Accountability Act, Blumenthal (D-CT). This post provides a side-by-side comparison of these five data-
breach bills, which would impose varying standards and penalties. The comparison focuses on the breach-notification requirements of each bill; it does not discuss the standards that some bills would
establish for internal security protocols to safeguard stored data."
"This thesis scrutinizes the proportionality and describes the subsidiarity of proposals for security breach notification laws (hereafter: SBNLs) in the European Union. […] The laws that have
been assessed are Article 31 of the proposed Data Protection Regulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive (hereafter: PCD). Article 31 PDPR concerns a single
uniform personal data breach notification obligation. A personal data breach entails the unauthorized access to and/or theft of personal data. Article 14 PCD concerns the harmonization of national
(significant) loss of integrity breach notification obligations. […] This thesis challenges the aforementioned assumption that determination of causality is straightforward. This is done by a more
substantive assessment of the proportionality test. This thesis contributes an empirical study from a security economics perspective, in order to substantively review (the complexity of) effects of SBNLs.
Do the (expected) effects of SBNLs match the aims it should attain according to the European proposals? And are these effects desirable?"
"One hot area of data privacy litigation over the past several years has been data breach class actions brought under the California Confidentiality of Medical Information Act (CMIA), which
provides that a person may recover $1,000 ‘nominal’ damages against a healthcare provider who has negligently ‘released’ the person’s medical information. Until recently, no California appellate court had
directly analyzed what constitutes a ‘release’ of medical information under the CMIA. The court in The University of California v. Superior Court (Platter) addressed this question for the first time in
2013 and held that the mere loss of possession of computer equipment containing medical information was not sufficient to constitute a release of the information itself. Instead, the court held, a
plaintiff must be able to plead, and ultimately prove, that an unauthorized person actually accessed the plaintiff’s medical information. The Platter decision will protect defendants from CMIA liability
in instances in which a computer or other device is lost or stolen and never recovered but where there is no evidence to suggest that anyone ever looked at the information contained on the device after
the loss or theft."
"Late one evening in December 2010, an employee of a commercial blood bank left his office with four backup tapes to drive them to the company’s corporate headquarters, just 13 miles away.
According to reports, he temporarily parked his car and locked its doors, leaving the tapes inside. Shortly thereafter, he returned to find the car’s window broken and various items missing, including the
backup tapes, a company laptop, and an external hard drive. The unencrypted backup tapes contained customer names, contact information, Social Security numbers, credit card numbers, and checking account
numbers. The laptop and external hard drive, also unencrypted, contained passwords and other information that could facilitate an intruder’s access to the company’s network. The employee immediately filed
a police report. This was just the beginning of the company’s data breach saga."
"The term ‘data breach’ generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information. A data breach can leave individuals vulnerable to identity theft or other fraudulent activity. Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis. In fiscal year 2012, agencies reported 22,156 data breaches - an increase of 111 percent from incidents reported in 2009. GAO was asked to review issues related to PII data breaches. The report’s objectives are to (1) determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving PII and (2) assess the role of DHS in collecting information on breaches involving PII and providing assistance to agencies."
"I recently noted a privacy breach at Northern Inyo Hospital in California. It was one of those ‘small breaches’ (i.e., less than 500 affected) that don’t get reported on HHS’s public-facing breach tool, but it really created distress for its victim. In discussing the breach, I noted my surprise at a statement the patient made that she might have to move to another community as she no longer had trust in the hospital and was worried about how information about her accessed by the employee might be used against her. […] The patient […] kindly reached out to me to discuss the case and her decision to move away."
"Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements."
"For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, the cause of loss and the business sector in which the incident occurred. For the first time, this year we also looked at the size of the affected organization. We then looked at the costs associated with Crisis Services (forensics, notification, credit monitoring, and legal counsel), Legal (defense and settlement), and Fines (PCI & regulatory). This report summarizes our findings for a sampling of 145 data breach insurance claims, 140 of which involved the exposure of sensitive data in a variety of sectors, including government, healthcare, hospitality, financial services, professional services, retail and many more."
"This long briefing provides an overview of the definition of security incidents and breaches and an analysis of their scale and trends. We summarise the current EU-level efforts to address network and information security, review some of the provisions of the Commission’s 2013 proposals for a Network and Information Security Directive and offer recommendations. We have some potentially major concerns including the relationship of incident notification achieving the outcomes of the directive, potential for overlapping regulation and definitions of covered entities. We also suggest that it would be helpful to clarify what kind of incidents the Directive is aimed to address."
"All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world."
From ‘F. Was the contravention of a kind likely to cause substantial damage or substantial distress?’
"46. Having considered all the relevant circumstances we were not satisfied that the contravention in this case was of a kind likely to cause substantial damage or substantial distress. No doubt some breaches of the [seventh data protection principle - ‘personal data must be securely kept’] in respect of some data might be of such a kind. In this case, it seems to us that the fact that the data processor was a specialist contractor with a history of 25-30 years of dealings with Scottish Borders carries weight. He was no fly by night. The council had good reason to trust the company. 47. Focussing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one. The overwhelmingly likely result of the summer 2011 arrangements, it seems to us was that the data processor would arrange for the files to be properly destroyed – to the extent that we would not describe any other outcome as likely."
"Breach Watch aims to be a useful repository of information about regulatory action taken as a result of data breaches. It provides a comprehensive archive of of ICO and FCA/FSA enforcement, helpful categorisation and occasional analysis."