Monday, March 09, 2009

Do Breach Notification Laws Work?

Deirdre Mulligan, professor of information technology law and policy at UC Berkeley's School of Information was one of several speakers at a Security Breach Notification symposium held in Berkeley last Friday. The symposium's directive was to try to answer the question of whether breach notification laws are actually working.

California passed the first data breach notification law in 2003, which quickly became the standard for the rest of the country. While it is clear that the laws have made the public more aware of the vulnerability of their data and have exposed poor security practices at many a business, it is unclear what other benefits the laws have had. Breach notifications should, in theory, reduce incidence of identity theft or fraudulent charges to credit cards if consumers take proper precautions when they receive a notification, as with a fraud alert or a freeze on their credit account because of suspicious transactions.

There are also other questions to ask about what effect breach notifications have on the relationship between the customer and the breached organization. While consumers often express anger and mistrust toward companies that lose their data, it is unclear how often that mistrust actually translates to action.

According to Professor Mulligan, a Ponemon study found that about 20 percent of respondents claimed to have terminated their relationship with a company after discovering the company experienced a breach. But a separate survey of companies found that the percentage of customers who actually do terminate their relationship is less than 7 percent. Both numbers need to be taken with a grain of salt.
"Consumers have a tendency to say they're going to do one thing when they actually do another," says Mulligan, "and companies also can't be relied on to honestly report the numbers of customers they lose from a breach."

See full article in Wired.

Monday, March 02, 2009

Shankar Sastry interviewed on Federal News Radio

Dr. Shankar Sastry, Dean of of the College of Engineering at the University of California, Berkeley, was interviewed by Tom Temin for 'Federal Security Spotlight' on Federal News Radio in his role as director of the Team for Research in Ubiquitous Secure Technologies (TRUST).

Sastry described how TRUST, funded by the National Science Foundation and housed at the University of California at Berkeley, as a team of some of the best minds from UC Berkeley, Vanderbilt, Cornell, Carnegie-Mellon, and Stanford Universities with Smith, San Jose State University and Mills College as outreach partners, was formed to examine the interconnection between cyber infrastructure and physical infrastructure. The complex interplay of component technology, policy, law, privacy issues and economic considerations are the motivations for putting together the TRUST Center.

Prof. Sastry described how initially it was the internet that was the primary security concern with various worms and viruses emerging, but as time went on, power, water, telecommmunications and other physical infrastructures also became implicated in security concerns.

Temin raised the issue of security and health-care concerns with electronic medical records/personal health records. The issues, according to Prof. Sastry, are about trying to make sure that (a) we can collect this information and (b) we can make the information available without all the paperwork. Having the data available to the patient is also an objective.

"The issues of privacy and selective disclosure is a subject of some debate", says Sastry. "I think there are legitimate needs for the medical industry to learn about, say, the efficacy of certain drugs", but there is also a tension between personal and medical records that are seen by many entities, billing, pharmaceuticals, different kinds of doctors, he says. Sastry observed the need to stop any 'mining' of this information and a need to be able to stop a 'fishing expedition' in this area.

Trust research is focusing on both the security and the privacy of patients as well as the possibility of a patient 'customizing' their records to make some records available to their doctors only.

Another area of research involves wireless networking vulnerabilities. Sastry describes a scenario where we will literally have a 1000 radios around people, controlling the physical environment by means of embedded rfid's and wireless sensor networks, evolving to a future of computation on wireless devices. Dr. Sastry says we need a reliable and secure medium for a wireless network. Wireless airwaves are not as reliable as a wired infrastructure because they are susceptible to jamming, to retransmission, etc.

A secure communications medium interacts with privacy and security. The privacy agenda enters in subtle ways in that by anonymizing the data, for example with real-time traffic monitoring via cellphone, it is not subverted as a means of tracking someone as they are driving in traffic. Cellphones will be used more and more as sensor networks.

Sastry described TRUST's mission as deriving security solutions in a principled way that is not reactive, as with the cat-and-mouse pattern of attacks followed by solutions followed by new attacks as has been the case thus far.

To listen to the complete interview (in 3 parts), go to Federal News Radio.