In an interesting IAPP article, Kelce Wilson, InfraGard General Counsel, describes how bad actors without any hacking expertise can potentially inject themselves into the middle of a data breach notification effort and engage in widespread identity theft. The other unanticipated consequence of data breach notification is this: with the trend toward public disclosure of data breach notification letters and statistics, more and more information is in the public domain about the types of data our organizations collect and whether or not we encrypt that data. Case in point, Massachusetts, where yearly Data Breach Notification Reports are available on-line. The 2018 Report shows data breaches reported to Massachusetts authorities this year.
Not only does the Massachusetts Report show the type of breach (paper or electronic) and the types of information at issue (SSN, Account Number, etc.), it also shows whether the data at issue was encrypted at the time of breach and/or whether a mobile device was lost or stolen. This, of course, provides a low-tech roadmap to potential threat actors to find targets with certain types of unencrypted PII on their systems or mobile devices. (Although a data breach can be a great inflection point for an organization to consider and adopt encryption where it hadn’t before, rarely does an organization encrypt all of its unencrypted PII immediately following a data breach.) Similarly, state data breach notification statutes generally do not require notification if the data at issue was encrypted at the time of compromise, and the encryption key was not compromised. Hence, a threat actor, who can access any one of the numerous 50-state data breach notification law surveys on the web, can easily infer that an organization whose notice letter is posted on a state attorney general’s website did not, at the time of breach, and likely does not now, encrypt types of data referenced in that letter.
This is, of course, a conundrum inherent to cybersecurity laws. The attackers can read the laws as well as we can, and they know the implications of what the laws require. We may not be able to live without data breach notification laws, but we certainly need to learn to live with the potential risks they create.