Friday, April 8, 2005

Loose lips when reporting privacy breaches

Computer theft may expose data on 180,000 patients - Computerworld

APRIL 08, 2005 (COMPUTERWORLD) - A San Jose-based medical practice has notified about 180,000 current and former patients about the theft of their personal information contained on two computers stolen from its offices during a burglary March 28.

And recall the other recent privacy breach due to a lost laptop:

Stolen UC Berkeley laptop exposes personal data of nearly 100,000

By MICHAEL LIEDTKE, AP Business Writer
Tuesday, March 29, 2005

A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

Now, some have pointed out that the California law SB 1386 that required these organizations to disclose their privacy breaches has the unintended consequence of notifying the thieves of these laptops that there may be information on those laptops that would be worth far more than the laptops themselves--something that is probably not the primary goal of most laptop thieves. However, I actually think that with these two cases that the organizations erred in disclosing too much information about the details of the breach.

Nothing that I read into SB 1386 says that you have to say exactly HOW the breach happened. The requirement in the law is simply that you have to "notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.", where "'breach of the security of the system' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

So, the law requires that you notify the affected parties that

a) there was a breach, or
b) you have reason to believe that the affected party's personal information was disclosed

IANAL, but do yourself a favor and be sparing with the details of your next breach.

No comments:

Post a Comment