I always look forward to Verizon’s annual Data Breach Investigations Report. Verizon dropped the 2017 DBIR last week, and for the 10th year in a row it cuts through the confusing landscape of security incidents and data breaches with analysis, alacrity … and yes, attitude (in what other report can you find a paragraph heading like “Tall, Dark, and Ransom”?).
The 2017 DBIR distills global information from 65 collectors of incident and breach data, analyzing 42,120 security incidents and 1,925 breaches that occurred during 2016. The threat environment changes each year, but one of the reasons I value the DBIR is that it shines a light on a few key things that don’t change. Here are four central aspects of data security that endure – and which we forget at our peril:
Effective June 16, New Mexico will be the 48th state with a PII data breach notification statute. New Mexico joins the vast majority of states, plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, in requiring notice to affected residents of PII security breaches – as of June, only Alabama and South Dakota will lack such a law.
Like other states’ statutes, New Mexico’s new law is triggered by the residency of the affected individuals, and so companies across the country with PII of New Mexico residents must now fold the New Mexico requirements into both their PII policy definitions and their breach response protocols.
So, how does New Mexico’s new statute fit into our perplexing puzzle of PII breach notification laws?
When Earth Day rolls around each year, I can’t help but think of the picnic scene from Mad Men. After Don Draper chucks his empty beer can into the pond, Betty snaps the blanket, dumping their litter across the grass, before trundling the kids off to the family car (12 MPG, leaded gas, with no emissions control).
Mad Men‘s magic was culture clash, the shocking contrast between the oblivious then – sexism, homophobia, humans as ashtrays – and our enlightened now. What makes the picnic scene so memorable is the gobsmacking environmental thoughtlessness of that era, in which the only things green were money and envy.
And my, how far we’ve come. We reduce, reuse, and recycle. Some of us compost, and others glare at the poor souls who still occasionally litter. We spend extra money for energy-efficient vehicles and appliances. We tend to buy local and organic, and we worry about chemicals in our food and water. Most folks are concerned about climate change and believe we need to change human behavior to slow it. In short, we devote significant thought, time, effort, and resources to be environmentally responsible.
At the same time, we remain completely oblivious to the swirling plumes of data exhaust we emit every day, and the toxic accumulations of data in the landfills of our devices, servers, and cloud accounts. When it comes to data pollution, guess what – we’re Don and Betty.
OK, IT mavens, listen up…how much better would your life be if you only had to manage and protect 20% of your company’s data? By eliminating 80% of your data you could free up oodles of storage, reduce licensing costs, shorten backup cycles, and drastically cut e-discovery preservation costs, not to mention go home on time for a change. For most this is an unrealistic pipe dream, but it doesn’t need to be. The trick is knowing which 20% to manage.
It lingers on – that vaguely guilty feeling that there’s something sanctionable, even illegal, about routinely destroying business data. That’s nonsense. It is well-settled United States law that a company may indeed dispose of business data, if done in good faith, pursuant to a properly established, legally valid data retention schedule, and in the absence of an applicable litigation preservation duty.
Even the courts themselves dispose of their data. Federal courts are required by U.S. law to follow a retention schedule approved by NARA, and to ultimately destroy records or transfer them to the Federal Records Center, as directed by that retention schedule.
Here are but a few of the many case decisions on this point:
I wish I had a bitcoin for every time I get an email with the subject line “Data Breach,” yet the facts upon investigation reveal no notifiable breach occurred.
In the Venn diagram of cyber security, the big rectangle is security incidents, enveloping a smaller circle of incidents that are breaches under state PI breach notification statutes. And a yet smaller circle are the breaches for which these statutes require notification of affected individuals.
So, what are common scenarios in which a security incident does not trigger notification duties under state PI breach notification statutes?
“What if ants were as big as dinosaurs?” I remember asking my kids that question, forever ago when they were young. Maybe the thought came from reruns of old monster movies, like the 1954 classic Them! (pictured here). Anyway, it was a cool game, for as the ant’s size multiplies, the laws of math, physics, and biology play their part:
- The ant’s exoskeleton wouldn’t be strong enough to support the increased weight, so an internal skeleton is needed.
- Gravity would play havoc with the ant’s open circulatory system, so a closed system is crucial.
- The ant’s energy needs would soar, and so a different diet and digestive system are required.
- The ant’s newfound size would totally alter its place in the food chain (The Lion King, “Circle of Life,” right?), driving fundamental changes in behaviors and capabilities.
- And on, and on.
Until, we finally end up with an ant the size of a dinosaur … that looks a lot like a dinosaur.
But what’s this have to do with Information Governance?
There’s been a lot of news lately about “secret” messaging in government, including inside the White House and the EPA, and last week’s revelation that Vice President Pence conducted state business with a private email account while Governor of Indiana. So there’s lots of angst right now about under-the-radar communications. When you think about it, though, it’s really old news tied to new technology. The only difference is the growing sophistication of the tools in the last few decades. Old School: clandestine meetings in parking garages. New School: disappearing messages.
What is really at issue here is not the technology, but rather the implied intent of circumventing rules (if they exist), and whether or not the communications are records. By any measure, if the communication is a record as defined by public or private rules, it must be retained. Herein lies the problem.
Sorry to revive ugly memories of last fall’s vituperative presidential campaign, in which bile was spewed over candidate Clinton’s use of a private email server while Secretary of State, and its vulnerability to hacking. Clinton eventually conceded that her use of a personal email server was a “mistake.” Which it was, on so many levels.
Now, news reports indicate that Vice President Mike Pence, while Governor of Indiana, used a private email account (AOL, no less) to conduct state business. And that some of the messages apparently contained sensitive law enforcement and Homeland Security information. And that, unlike Clinton’s private server, Governor Pence’s personal email account was actually hacked. And that the hack occurred (wait for it) last summer – in the midst of all of the self-righteous indignation over Clinton’s email practices. Thankfully, Governor Pence and his wife were NOT stranded in the Philippines, and we did NOT need to wire them emergency funds.
These revelations will no doubt spur cries of bald-faced hypocrisy, and equally heated arguments that Pence’s situation is different than Clinton’s (AOL v. private server, Governor v. Secretary of State, sensitive Homeland Security information v. classified information, and so forth).
But here’s a thought – instead of yet another round of beating ourselves over the head with partisan cudgels, what if we tried something different this time?