The “Reasonable Belief” of a Privacy Breach

The second article in my March e-journal issue of “IT Compliance in Realtime” is “The “Reasonable Belief” of a Privacy Breach.”
Here it is, unformatted:

What Is a Privacy Breach?
The 40 U.S. state breach notice laws, including the District of Columbia, provide some pretty specific details about what is considered personally identifiable information (PII). However, the definition of what is considered inappropriate access to PII is consistently vague.
See a listing of all 40 U.S. state breach laws at
Add to this long list of PII descriptions the virtually infinite number of ways in which privacy breaches can occur.

  • Inappropriate access to the network or computer systems
  • Lost or stolen computers, such as laptops and PDAs
  • Lost or stolen computer storage media, such as USB drives and backup tapes
  • Mistake that leaves information vulnerable
  • Dishonest authorized insiders inappropriately using PII
  • Email messages with confidential information sent or forwarded inappropriately
  • Fraud activities perpetrated by outsiders, insiders, and combinations of both
  • Hackers gaining unauthorized access to the information
  • Information exposed online because of inadequate controls
  • Insiders inappropriately using PII
  • Confidential paper documents not being shredded and given to people outside the organization (for example, being recycled as scrap paper in a preschool or church)
  • Improper disposal of digital or printed information
  • Password compromise
  • Customer or employee angry with privacy practices
  • And so many others…

Some privacy breaches affect millions of individuals, some affect thousands, and some affect one. Many organizations are struggling with knowing when to notify impacted individuals following a security incident that involves PII. Some organizations try to determine whether to notify individuals based solely upon how many individuals were involved. However, it is important that this decision be made based upon the circumstances involved with the breach coupled with knowledge of the applicable breach notice laws.
When to Notify?
So when do you need to notify individuals of a privacy breach? Make no doubt about it, there are differences between all the state breach notice laws. Some states require notification to affected individuals only if there is a reasonable possibility of identity theft. Other states do not require notification unless it has been determined that misuse of the information has occurred or is reasonably likely to occur. And in yet other states, notification is not required unless there is a reasonable likelihood of actual harm to customers. Table 1 shows, at a very high level, the notification requirements for each state. It is important for you to have a good long meeting with your legal counsel to identify all the specific requirements within each law.
[Table 1: State breach notice requirements]
NOTE: See the full table within the PDF of the article.
If your organization has locations in multiple states and/or customers in multiple states, it is best to follow the most stringent notification requirements. It would be impractical, and a bad idea from a public relations perspective, to notify (or not notify) customers in differing ways based upon the state in which they live.
When an incident occurs that involves PII, it is critical to determine as quickly as possible whether the event triggers a requirement to notify affected individuals. To make this determination, organizations need to answer at least the following questions:

  • Was PII involved? Does the information involved in the security incident fall under the definition of “personal information” under any of the at least 40 state breach notification laws? If PII was not involved, a privacy breach did not occur. Make sure your definitions are up to date. In California, AB1298 expanded the definition of personal information, which was established in 2003 by SB 1386, to include medical and health insurance information.
  • Was the PII in digital form? In many state breach notice laws, only incidents involving computerized information require individual notification. However, it is important to know that some of the state laws require notification for incidents involving PII in any form, such as on printed paper. Even if you find notification is not required by any of the laws for the states in which the affected individuals reside, depending upon the incident, your organization may determine it is best to notify involved individuals any way.
  • Was the PII encrypted? Many state breach notice laws specify that if the PII involved was encrypted, notice is not necessary. However, the maddening issue that is the cause of contention between many legal and IT areas is that the laws do not define consistently what is considered encryption! Some definitions describe encryption as vaguely as storing the PII in an “unreadable format.” This aside, you, and your legal folks, must know and understand that encryption does not mean you just have a password on the computer equipment. Organizations generally are required to notify affected individuals when computers and electronic storage equipment with passwords, but no encryption, are lost or stolen.
  • Is it reasonable to believe that an unauthorized person accessed PII? This is almost always the most controversial question to answer. If an organization has a “reasonable belief,” as indicated in most of the state breach notice laws, that an unauthorized person accessed the information, notification is often required. As indicated previously, many of the state breach notification laws contain a clause indicating notification is not required unless there is reasonable possibility of harm, misuse, or identity theft. Do not rely completely upon this harm-likelihood concept. Many other state breach laws do not contain such harm-likelihood considerations, and your organization may be expected to send notifications as a matter of due care regardless of the answer to this question depending upon how you answered the previous three questions.

[Figure 1: Likelihood notification is necessary]
NOTE: See this likelihood graphic within the PDF of the article.
Answering the “Reasonable Belief” Question
You should document a repeatable and consistent procedure to make the determination of whether it was likely that PII was accessed in an unauthorized manner. It is helpful to look at the all the factors involved with the incident and, based upon thoughtful consideration, place it within the appropriate location in the likelihood meter represented in Figure 1.
It is reasonable to consider that the likelihood PII was accessed was great if one or more of the following situations exist:

  • A lost or stolen computer or other electronic storage device containing unencrypted PII was in the physical possession and control of an unauthorized person
  • A system compromise that involved unencrypted PII occurred a significant time ago, allowing the potential for unauthorized access over a long period of time
  • Logs indicate the file containing PII was accessed after a system compromise, and the accesses were not attributed to authorized use of an application
  • Logs provide evidence that PII was downloaded, copied, or otherwise accessed; for example, an ftp log that contains the name of a file containing PII
  • A significant window of opportunity for remote access to, and download of, PII exists
  • The unauthorized person(s) had access to the information for an extended period of time
  • Sophisticated hacker tools were used for the unauthorized access to a network containing PII files
  • A privileged account–such as root or an administrator, or a non-privileged account with access to PII–was compromised
  • Multiple systems containing PII were compromised
  • The attacker was known, and was a disgruntled insider, unhappy customer, or another third party that had a known motive to harm the company in some way
  • There were multiple attackers involved
  • There are indications that the information was used by an unauthorized person, such as fraudulent accounts were opened or identity theft reported
  • There was a significant amount of time between the start of the compromise and compromise discovery
  • The compromise was a directed attack against a specific system or network as opposed to an automated attack against any vulnerable system or network
  • The attack or compromise appeared to seek and collect specific information, such as PII
  • The attack or compromise appeared to include tampering with records, such as changing grades, account values, passwords, or account capabilities
  • The attacker attempted to cover up his or her activity
  • The attacker released information to the public, or posted to a Web site, about the attack

It is reasonable to consider that the likelihood that PII was accessed is much less if:

  • The PII was encrypted using a strong encryption algorithm
  • The application, database, or network compromise was identified quickly; within mere minutes
  • Logs indicate databases and files containing PII were not accessed by applications or via system utilities
  • No indications of network downloads exist
  • Less sophisticated and more benign hacker tools were used for the unauthorized access to the network

As the list at the beginning of this article demonstrates, breaches come in all shapes and sizes. Many breaches require significant technical analysis to be able to determine the situations previously listed. You may need to obtain the help of highly skilled forensic investigators to assist with the evaluation of potential harm to the network as well as potential access to PII.
How Will Notification, or Lack of, Impact Your Organization?
When making the determination for whether notification for a privacy breach must occur, answer the following important questions:

  • What is the potential damage to individuals if notification is not given?
  • What is the potential damage to your organization if notification is given?
  • What is the potential damage to your organization if notification is NOT given?

Keep in mind most consumers look more favorably upon organizations that provide notification, even if not legally required, than if organizations do not provide notification following a privacy breach.
Have thoughts or feedback about this article? Please let me know!
Also, please let me know if there are other topics you would like to see me write about.

Tags: , , , , , , , , ,

Leave a Reply