ORLANDO, Fla.—Uh-oh, Sales has lost a laptop. The nightmare that ensues brings a host of uncertainties: Exactly what data was on that thing? How do you define nonpublic, private or confidential information? What constitutes a breach or a mass data compromise? What are your obligations to protect that data, and what are your organization’s obligations regarding notifying the potential victims of identity theft?
These are just some of the questions you should answer before the laptop is lost, the BlackBerry is stolen or the database is hacked, said Mark Everist, a director of audit for American Express, during a session titled “Ensuring Customer Notification of Unauthorized Access” here at the InfoSec World Conference & Expo on March 19.
This is true particularly given the widespread prevalence of data loss, he said. “Most adults in the United States and Canada should [by now] have suffered some type of identifying information loss or theft since ChoicePoint,” he said. “Since ChoicePoint, 147 million U.S. and Canadian resident records have been reported stolen.”
Everist was referring to ChoicePoint’s 2005 admission that the ID verification services vendor had mishandled the personal financial data of consumers.
ChoicePoint’s admission was a turning point in notification legislation and privacy law, he said, given the scope and the nature of what ChoicePoint was doing: The consumer data aggregator was found guilty of selling the information of 163,000 U.S. citizens to fraudsters and was subsequently fined a record-setting $15 million. “They were selling the information [pertaining to] who could do what with [personally identifying information and a given credit rating],” he said. “Fraudsters were purchasing personal information records.”
Were you to analyze the core fundamental elements to any privacy law that followed the ChoicePoint incident, Everist said, you’d find that ChoicePoint “broke just about all of them.” After the revelation, “You saw a slew of states pass legislation,” he said.
In fact, that’s one of the problems organizations face when dealing with a data breach, Everist said. As 33 states passed statutes around notification and data handling, with additional U.S. banking regulatory guidance, the resultant mishmash of legislation lacks consistent definitions of key elements of a data breach.
For example, under California’s trend-setting SB 1386 legislation, the definition of “personal information” is considered to include an individual’s first name or first initial and last name, in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number, driver’s license or California identification card number, account number, or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.