Thursday, July 21, 2011

Mandatory Notification

In the last decade, state legislatures around the US created mandatory notification laws for security incidents involving specific personally identifiable information, such as Social Security Numbers, drivers license numbers, or financial account information. Usually, these laws mandated that anyone who knows to have lost such information must publicly notify their attorneys general as well as those affected by the data breach. Creating a severe liability for not notifying people when there are data breaches helped stir up new information security efforts, certainly within higher ed at least. Even so, we see news stories left and right of websites and other data stores being compromised.

The question of whether or not to notify when there is a potential data breach is a complex one. At least in New York State, notifications have to happen after an investigation is complete, but not until that investigation is done. For the unscrupulous, these details can be used to delay notifications. Also, notifications only have to happen if there is a reasonable chance that data was lost. What "reasonable" means is up for interpretation, and people can weasel their way out of notifications by interpreting the facts in certain ways.

Mandatory Notification

It used to be
My infosec diary
Was something just for me.

'Till my blasted state
Had to go and create
A notification-type mandate.

Now every one little sin,
Every hack of /bin,
requires Public Relations' spin.

So I have to decide:
Should I show or hide
When bad guys get inside?

And if they post a file,
Or our homepage defile,
Or pollute our Twitter with bile,

We'll blame the hacker!
Be a victim, not a slacker!
Fault will lie with the evil attacker.

It's not that we failed,
Or through open gates that they sailed
In the end we will have prevailed.