"Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice. The following bills have been
introduced over the last year: Data Security and Breach Notification Act, Toomey (R-PA); Personal Data Privacy and Security Act, Leahy (D-VT); Data Security Act, Carper (D-DE) and Blunt (R-MO); Data
Security and Breach Notification Act, Rockefeller (D-WV); and Personal Data Protection and Breach Accountability Act, Blumenthal (D-CT). This post provides a side-by-side comparison of these five data-
breach bills, which would impose varying standards and penalties. The comparison focuses on the breach-notification requirements of each bill; it does not discuss the standards that some bills would
establish for internal security protocols to safeguard stored data."
"This thesis scrutinizes the proportionality and describes the subsidiarity of proposals for security breach notification laws (hereafter: SBNLs) in the European Union. […] The laws that have
been assessed are Article 31 of the proposed Data Protection Regulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive (hereafter: PCD). Article 31 PDPR concerns a single
uniform personal data breach notification obligation. A personal data breach entails the unauthorized access to and/or theft of personal data. Article 14 PCD concerns the harmonization of national
(significant) loss of integrity breach notification obligations. […] This thesis challenges the aforementioned assumption that determination of causality is straightforward. This is done by a more
substantive assessment of the proportionality test. This thesis contributes an empirical study from a security economics perspective, in order to substantively review (the complexity of) effects of SBNLs.
Do the (expected) effects of SBNLs match the aims it should attain according to the European proposals? And are these effects desirable?"
"One hot area of data privacy litigation over the past several years has been data breach class actions brought under the California Confidentiality of Medical Information Act (CMIA), which
provides that a person may recover $1,000 ‘nominal’ damages against a healthcare provider who has negligently ‘released’ the person’s medical information. Until recently, no California appellate court had
directly analyzed what constitutes a ‘release’ of medical information under the CMIA. The court in The University of California v. Superior Court (Platter) addressed this question for the first time in
2013 and held that the mere loss of possession of computer equipment containing medical information was not sufficient to constitute a release of the information itself. Instead, the court held, a
plaintiff must be able to plead, and ultimately prove, that an unauthorized person actually accessed the plaintiff’s medical information. The Platter decision will protect defendants from CMIA liability
in instances in which a computer or other device is lost or stolen and never recovered but where there is no evidence to suggest that anyone ever looked at the information contained on the device after
the loss or theft."
"Late one evening in December 2010, an employee of a commercial blood bank left his office with four backup tapes to drive them to the company’s corporate headquarters, just 13 miles away.
According to reports, he temporarily parked his car and locked its doors, leaving the tapes inside. Shortly thereafter, he returned to find the car’s window broken and various items missing, including the
backup tapes, a company laptop, and an external hard drive. The unencrypted backup tapes contained customer names, contact information, Social Security numbers, credit card numbers, and checking account
numbers. The laptop and external hard drive, also unencrypted, contained passwords and other information that could facilitate an intruder’s access to the company’s network. The employee immediately filed
a police report. This was just the beginning of the company’s data breach saga."
"The term ‘data breach’ generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information. A data breach can leave individuals vulnerable to identity theft or other fraudulent activity. Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis. In fiscal year 2012, agencies reported 22,156 data breaches - an increase of 111 percent from incidents reported in 2009. GAO was asked to review issues related to PII data breaches. The report’s objectives are to (1) determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving PII and (2) assess the role of DHS in collecting information on breaches involving PII and providing assistance to agencies."
"I recently noted a privacy breach at Northern Inyo Hospital in California. It was one of those ‘small breaches’ (i.e., less than 500 affected) that don’t get reported on HHS’s public-facing breach tool, but it really created distress for its victim. In discussing the breach, I noted my surprise at a statement the patient made that she might have to move to another community as she no longer had trust in the hospital and was worried about how information about her accessed by the employee might be used against her. […] The patient […] kindly reached out to me to discuss the case and her decision to move away."
"Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements."
"For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, the cause of loss and the business sector in which the incident occurred. For the first time, this year we also looked at the size of the affected organization. We then looked at the costs associated with Crisis Services (forensics, notification, credit monitoring, and legal counsel), Legal (defense and settlement), and Fines (PCI & regulatory). This report summarizes our findings for a sampling of 145 data breach insurance claims, 140 of which involved the exposure of sensitive data in a variety of sectors, including government, healthcare, hospitality, financial services, professional services, retail and many more."
"This long briefing provides an overview of the definition of security incidents and breaches and an analysis of their scale and trends. We summarise the current EU-level efforts to address network and information security, review some of the provisions of the Commission’s 2013 proposals for a Network and Information Security Directive and offer recommendations. We have some potentially major concerns including the relationship of incident notification achieving the outcomes of the directive, potential for overlapping regulation and definitions of covered entities. We also suggest that it would be helpful to clarify what kind of incidents the Directive is aimed to address."
"All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world."
From ‘F. Was the contravention of a kind likely to cause substantial damage or substantial distress?’
"46. Having considered all the relevant circumstances we were not satisfied that the contravention in this case was of a kind likely to cause substantial damage or substantial distress. No doubt some breaches of the [seventh data protection principle - ‘personal data must be securely kept’] in respect of some data might be of such a kind. In this case, it seems to us that the fact that the data processor was a specialist contractor with a history of 25-30 years of dealings with Scottish Borders carries weight. He was no fly by night. The council had good reason to trust the company. 47. Focussing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one. The overwhelmingly likely result of the summer 2011 arrangements, it seems to us was that the data processor would arrange for the files to be properly destroyed – to the extent that we would not describe any other outcome as likely."
"Breach Watch aims to be a useful repository of information about regulatory action taken as a result of data breaches. It provides a comprehensive archive of of ICO and FCA/FSA enforcement, helpful categorisation and occasional analysis."
"While there are a handful of efforts to capture security incidents that are publicly disclosed, there is no unrestricted, comprehensive raw dataset available for download on security incidents that is sufficiently rich to support both community research and corporate decision-making. There are organizations that collect—and in some form—disseminate aggregated collections, but they are either not in a format that lends itself to ease of data manipulation and transformation required for research, or the underlying data are not freely and publicly available for use. […] To address this problem that has plagued the community, we are pleased to announce the VERIS Community Database (VCDB), which aims to collect and disseminate data breach information for all publicly disclosed data breaches. The data are coded into VERIS format and we also provided the dataset in an interactive visualization available for public use."
"California’s landmark law on data breach notification, which requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach,
took effect in 2003. […] The law also opened a window on privacy and security practices for companies, researchers, and policy makers. In 2012, for the first time, those subject to the California law
were required to provide copies of their notices to the Attorney General when the breach involved more than 500 Californians. We received reports of 131 breaches in 2012, and we have reviewed the
information submitted in order to gain an understanding of the types of breaches that are occurring, what vulnerabilities they may reveal, and what actions might be taken to prevent or reduce the
likelihood of future breaches. In this report, we describe what we have seen and offer some recommendations based on our findings."
"This paper reports a study of privacy breaches in the U.S. from 2005-2011 to explore potential benefits of data privacy disclosure and auditing. Privacy auditing is a mechanism to help organisations to be vigilant in protecting information privacy, and to avoid penalties or damage to reputation and losing customer trust. Recently, privacy audits have been imposed on several high-profile organizations, but little is known about the benefits of privacy audits. We examined whether companies with privacy disclosures in their audited financial statements (as a proxy for privacy audits) were more or less likely to incur subsequent privacy breaches, and whether companies incurring breaches were more or less likely to make privacy disclosures."