US-Style Data Breach Notifications Not The Model For UK: Data Breach, Data At Risk, And Overall Confusion.
SC Magazine reports the UK Information Commissioner has stated that the US laws requiring notification of the public in the event of a data breach is not a viable model for the island nation. I have argued before that a blanket approach to notifications is counterproductive when companies affected by a breach have used data protection measures like hard disk encryption or file protection, so I can empathize with him.
Let’s lay some groundwork. The term data breach actually carries at least two meanings: data at risk and an actual data breach, which is not the same as the term data breach I used before. Confused yet?
I wouldn’t be surprised if you were. The reason why there is a lot of confusion with the general populace when it comes to data breaches, I think, is the use of the term data breach to mean two different, but related, events. Let’s see if I can clarify this.
An unauthorized person downloading a spreadsheet full of names, Social Security numbers, addresses, and other data is an actual data breach, since we know sensitive data is in the hands of someone who shouldn’t have that data. I mean, someone had to initiate that download, so we know a person is behind it. It’s clearly a data breach. No confusion there.
However, data at risk events like the loss of a laptop containing sensitive information is also regarded as a data breach as well. Now, make note that we don’t actually know what happened to the data in the laptop. Someone could have accessed it to commit fraud or someone could have wiped the contents without taking a second look in order to use the computer. The laptop could have been used, along with other laptops, to create a fort, on permanent exhibition at, I don’t know, Lego Land — who knows? However, common sense tells us that we have to treat this incident as if it were a data breach, and proceed from there. Hence the notification letters when disks, laptops, and other devices go missing.
In summary, an event where there was an actual data breach is a data breach. An event where data is at risk, but we don’t know whether data was actually breached, is also a data breach. Makes sense, right? The problem, and this is my opinion, is that some laws in the US regard “data at risk” incidents as a data breach regardless of whether data security tools like laptop encryption software was used.
I personally think that the loss of a laptop that uses encryption to protect its contents is not a data breach. Heck, I’m not sure I would even label it “data at risk” unless it was noted the “risk” is smaller than the chances finding El Dorado (the mythic city, not the movie in the bargain bin at Blockbuster. Speaking of which, James Caan rocks). The risk of a lost but encrypted laptop turning into an actual data breach is miniscule. In fact, I’d say it’s even better protected than data residing on a physically-guarded, but not encrypted, server.
Should people be notified in the event an encrypted computer is lost? Or when an encrypted USB memory stick is lost? I don’t think that is any more necessary than alerting the world I had my wisdom teeth removed. The loss of encrypted data is not news, and it certainly is not reason for concern. It is also not a reason to alert thousands of people that, essentially, nothing happened. The loss of an encrypted laptop is pretty much the same as the loss of a new laptop straight out of the box when it comes to data breaches: you don’t have one. Likewise for CDs, smartphones, memory sticks, and other electronic data repositories that were encrypted.
There are caveats, of course. A company using weak encryption should not only notify customers but get a beating with the idiot stick. Likewise when usernames and passwords for decrypting information are found stuck to a computer. But if the data cannot realistically be breached…well, let’s put it this way: my impacted third molars would provide more conversation than a lost, encrypted computer.