This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
Point by Marcus Ranum
THERE'S AN OLD SAYING, "Sometimes things have to get a lot worse before they can get better." If that's true, then breach notification laws offer the chance of eventual improvements in security, years hence.
For now? They're a huge distraction that has more to do with butt-covering and paperwork than improving systems security.
Somehow, the security world has managed to ignore the effect voluntary (?) notification and notification laws have had in other fields-namely, none.We regularly get bank disclosure statements, stock plan announcements, HIPAA disclosures, etc.-and they all go immediately in the wastebasket, unread.When I got my personal information breach notification from the Department of Veterans Affairs, it went in the trash too.
"Your personal information has been disclosed...yadda, yadda, yadda"- annoying stuff that's my responsibility to deal with because someone, someplace else, didn't handle data about me responsibly.We are deluged with fineprinted disclosures and warnings, and eventually they're all as empty of meaning as the Department of Homeland Security's color-coded terrorism threat warning level.
Aside from causing numbness in customers' minds, breach notification laws don't actually do anything to encourage good behavior; they just make bad behavior more obvious and expensive. The theory, I suppose, is that businesses will improve their security out of fear of losing customers
* Most customers seem to assume that if one bank/ brokerage/hospital/whatever can't keep its data secure, it's likely that none of them can, and there's zero incentive to switch.
* It's already too late. You might be able to motivate a customer to switch providers before there is a problem, but after there's a problem, they're going to be more likely to spend their time calling in fraud alerts and looking at their bank statements than complicating things further by switching providers.
* It assumes there is actually a free market. My Social Security number was leaked by the U.S. government. As much as I'd like to fire them, I can't.
All I see breach notification laws doing is informing customers that they need to pay attention to their horses after they've left the barn via an unlocked door in someone else's barn. Not to over-stretch an analogy, but if you let my horse out of your barn, it's your problem to catch him safely and if anything bad happens to him while he's gone walkabout, it's your responsibility. What these data breach laws are really saying to the consumer is "our mistake is your problem and we're bending over backwards to make sure you know that...it's your problem."
We know that's silly.
But breach notification laws encourage businesses and government agencies to worry about entirely the wrong thing-they should be worrying about the barn door. Most importantly, it shouldn't be the customer's problem.
A lot of personal information is at risk because it is stored in systems that are not well designed to separate information within the organization. Some of us were warning about this back in the late 1980s; it's a bad idea to have your database configured so every secretary and contractor can access any record it contains.
As long as systems are built that way, there will be news stories such as "Bored contractors examine presidential candidates' medical records" or "Customer database sold by ex-employee." This is not rocket science; it's just common sense. I'd rather have my government agencies and commercial providers worrying about how to fix their poorly designed systems than having their lawyers wordsmithing breach notices.
This was first published in January 2009