Disclosure as Deterrent

Posted on January 20th, 2009 by William McGeveran

Perhaps lost amidst some other minor news today, we learn of possibly one of the largest data breaches ever. According to the Security Fix blog on the Washington Post, a large payment processor called Heartland Payment Systems was infiltrated by a piece of malicious software:

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” [the company's president] said. “At this point, though, we don’t know the magnitude of what was grabbed.”

Wow. (The company hastens to add that, because the bad guys didn’t get addresses, they would need to make counterfeit cards to exploit this data. Small comfort if you’ve read stories like this one.)

This disclosure reminded me of a speech I attended recently: an important DC lawyer who represents companies in privacy disputes was complaining about data breach notification laws. He pointed out, correctly I think, that the expense of disclosing a breach often dwarfs the real risk of harms like identity theft. But then he said the better response would be regulatory rules that set the requirements for data security. Not so sure about that.

I am skeptical about the effectiveness of some federal agency (the FTC?) supposedly auditing data security compliance at big firms across the country. It has not worked very well for health care privacy under HIPAA. One thing that moves data security up a company’s priority list is the reality that mistakes will be made public. But for states’ data breach notification requirements, we might never have found out about the Heartland breach (never mind the many, many others revealed through these laws). True, there could be some better standards as to when a breach creates enough risk that the costs of notification are worthwhile. But the basic technique of using the disclosure of errors as deterrence to force better precautions seems sound to me in this setting. How far would we be toward improving data security if these breaches had remained secret?

Filed under: Computer crime, Privacy, Security, badware

Leave a Reply

« The Register on Filtering in Australia A Madness to its Method: Cert Petition Filed in Bilski »
Protected by AkismetBlog with WordPress

Bad Behavior has blocked 52 access attempts in the last 7 days.