Periodo: 2017
URL: Estimating the size of the iceberg from its tip : An investigation into unreported data breach notifications
Descrizione:
A decade has passed since the enactment of data breach notification laws (DBNLs) in numerous U.S. states. These laws mandate companies that have suffered a data breach to inform the customers whose data might have been exposed. The intent of DBNLs can perhaps be best summed up in the phrase: “sunlight is the best disinfectant”. Whether the goal of incentivizing better security practices has been realized is the subject of an ongoing debate (e.g., Romanosky et al. 2011, Bisogni 2016). What is clear, however, is that they have offered more visibility into the state of data breach events in the United States. That being said, it is also clear that an unknown number of breaches are hidden from view. The Identity Theft Resource Center’s (ITRC) Breach Report, and similar databases, only contain breaches that have become public knowledge. As Figure 1 illustrates, a breach first needs to be detected by the affected organization (move from 4 to 3), then one or more relevant parties need to be notified (move from 3 to 2), before it can become publicly reported (move from 2 to 1). A simple statistic highlights that many of the breaches never make it past the last hurdle. The notification letters that are made public by the Attorney General in four U.S. states account for approximately 40% of all reported breaches in ITRC in 2014, while these states host only 14% of U.S. firms and 15% of the population. The organization maintaining the ITRC also acknowledges the issue: “We are certain that our ITRC breach list underreports the problem” (ITRC 2017). This paper sets out to provide an enhanced understanding of the submerged part of the iceberg. We first leverage differences among DBNLs in different U.S. states to estimate the impact of certain provisions on how many breaches have triggered notifications, yet did not been become publicly reported. In other words, we can estimate level 2 of the iceberg. Data breach statistics highlight significant differences among U.S. states (see Figure 2). We model the number of reported breaches as a function of the different DBNL provisions across the states, while controlling for the size of different sectors in each state and other factors. Our model also includes the impact of the “risk of harm” exemption in some DBNLs, which allows breach organizations to not notify affected consumers, if after a reasonable investigation they determine that there is no reasonable likelihood of harm to customers stemming from the breach. States with this exemption report fewer breaches. This means that affected organizations never notified anyone in the first place. By modelling the impact of the risk of harm exemption on the number of reported breaches, we can estimate how breaches are detected but not notified because of this exemption – a portion of level 3 of the iceberg.
Finally, we catch a glimpse of the deepest part of the iceberg – level 4 – through analyzing the notification letters in four states. In those states, the Attorney General publicly reports all notifications. We have coded all breach causes mentioned in those letters. Interestingly enough, the sector with the lowest breach rate (‘retail and other business’) is also the one with the highest ratio of breaches caused by ‘hacking’ and lowest ratio of ‘unintended disclosure’. This suggests that security practices in this sector do not detect a significant number of breaches, contributing to a breach rate that is between 2 and 12 times lower than other sectors. The notification letters also allow us to look at notification and detection times by modeling the time span between the notification and, respectively, the breach discovery by the organization and the breach event. By doing so we managed to identify those breach causes that more than others require notification times not in line with the individuals’ need to defend themselves promptly against potential harm. Our analysis shows that there is quite a lot that is not known about U.S. data breaches. That being said, the security community knows much less about breaches in Europe. This is evident by browsing public databases that have gathered known data breaches, such as the ITRC, which contains only breaches affecting U.S. residents. The European Union (E.U.) has recently introduced its own industrywide DBNLs: a directive1 and regulation2 will extend the weaker and sector-specific security breach notification laws that applied to the telecom sector. Our analysis helps the E.U. to learn from the results of almost 15 years of regulations in US, since the enactment of the first DBNL in California3, giving relevant insights in view of the adoption of the Data Protection Package4. In short, the contributions of this paper are as follows: (i) to model the impact of DBNL provisions on the number of known data breaches and breach notification times, while controlling for sector and state differences; (ii) to estimate the number of breaches about which notifications have been issued but that are not publicly reported; and (iii) to discuss key elements of DBNL that make those laws effective in view of the implementation of the European regulation on security and data breaches.