By Cam Kollar
In 2018, there were 6,515 reported breaches exposing approximately 5 billion records. It seems like every other day the news is informing us that there has been another data breach. Because the same words are used over and over again, it makes it hard for any records breach to stand out in the average person’s mind. Is it bad? Yes. Do we think of ourselves actually harmed by each of those breaches? Probably not. Should that be our stance? Definitely not.
I suspect that most people when not facing a direct harm from a specified data breach has become desensitized to the impact on individual persons. Apparently, I’m not the only one with this thought in mind. This past February, Daniel J. Lohrmann wrote a blog post analyzing reports about reported data breaches in 2018. He believes, in his expert opinion, that we have become numb to data breaches, and that the reports and headlines are getting less and less meaningful attention from the public. So, who is Daniel J. Lohrmann, and why should it matter what he thinks? Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker, and author. More telling of why he is an internationally recognized expert is the breadth of his experience. He has over 30 years of experience in the computer industry, working at federal, state, and local government agencies, defense contractors, public and private sectors, Fortune 500 companies, small businesses, and nonprofit institutions. This expert has the experience to analyze the data breach reports from a wide variety of perspectives, and because of all this, I do not take his perspective lightly.
These breaches have the ability to affect most of us, in significant ways- such as identity theft and/or identity fraud. In 2016, 31.7% of breach victims later experienced identity fraud. According to TrueIdentity, identity theft is the criminal act of stealing personal, private, or financial information with the intent to use that information to assume another person’s identity. On the other hand, identity fraud is the use of the stolen information listed in identity theft, above. In 2018, it is estimated that 65% of data breach incidents involved identity theft.
Because data breaches are a significant problem, all 50 states along with Washington D.C., Puerto Rico, Guam, and the Virgin Islands, all have legislation that requires disclosure of security breaches. The statutes define what constitutes a breach, what meets the definition of personal information, as well as who, how, and by when persons need to be notified of the breach. There are a number of different pieces of information that would qualify as personal information beyond what people consider the most sensitive (ie the most sensitive-social security number, bank account numbers, passport numbers). For instance, in Delaware, personal information is defined as a resident’s first name or first initial and last name when combined with another data elements that relates to that individual such as…a username or email address, in combination with a password or security question and answer that would permit access to an online account. Substitute notice is allowed, when there is insufficient contact information to provide notice, consists of all of the following: electronic notice if email addresses are known, conspicuous posting of the notice on a website page if the breached entity maintains one or more website pages, and notice to major statewide media, including newspapers, radio, and television and the publication on the major social media platforms of the entity providing notice.
On Thursday, April 19, 2019 Americans waited impatiently for the heavily redacted Mueller report to be released. The Mueller report was the primary focus of everyone’s attention in the highly anticipated release of the report that was two years in the making. Where everyone’s attention was not, was on a notification by Facebook that millions of Instagram users’ passwords were compromised in a data security lapse. More specifically, on a one lined update in the middle of blog post reporting a data breach back in March. On March 21, 2019, Facebook had made the announcement that during a routine security review in January, it was discovered that user passwords were being stored in a readable format within internal data storage systems. On Mueller day, Facebook provided notice that in this same breach (that had already affected “hundreds of millions” Facebook lite users and “tens of millions of other Facebook users”) that “millions” of Instagram users were now also affected by the security lapse.
Was this sufficient notice? The update was neither conspicuous, nor was it widely reported to statewide media. After reading about this update I can’t help but go back and think about information contained in Daniel J. Lohrmann’s blog. 65% of data breaches involved identity theft and social media incidents account for over 76% of records breached. How much risk are we undertaking by using social media?
Dan Lohrmann, Data Breaches: What do the Numbers Mean?, Lohrmann on Cybersecurity & Infrastructure(Feb. 17, 2019), https://www.govtech.com/blogs/lohrmann-on-cybersecurity/data-breaches-what-do-the-numbers-mean.html.
Dan Lohrmann, Chief Security Officer & Chief Strategist at Security Mentor Inc., Government Technology, https://www.govtech.com/authors/MT-Author-GT-Dan-Lohrmann.html (last visited Apr. 22, 2019).
See Matt Tatham, Research: Identity Theft Statistics, Experian(Mar. 7, 2019), https://www.experian.com/blogs/ask-experian/identity-theft-statistics/.
A subsidiary of TransUnion.
See Identity Theft vs. Identity Fraud: What’s the Difference?, TrueIdentity, https://www.trueidentity.com/identity-theft-resource/identity-theft-vs-identity-fraud (last visited Apr. 22, 2019).
See Lohrmann, supra note 1.
SeeSecurity Breach Notification Laws, NCSL (Sept. 29, 2018), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
See Del. Code Ann. tit. 6, § 12B-101 (7) (2018).
See Del. Code Ann. tit. 6, § 12B-101 (5)(d) (2018).
E.g. Mike Levine, The Russia probe: a Timeline from Moscow to Mueller, ABC, (Apr. 17, 2019, 5:02 PM ET), https://abcnews.go.com/Politics/russia-probe-timeline-moscow-mueller/story?id=57427441.
See Ethan Baron, Facebook, on Mueller Day, Drops Bad Instagram News in a Month-Old Blog Post, The Denver Post(Apr. 19, 2019, 8:11 am), https://www.denverpost.com/2019/04/19/instagram-passwords-compromised-facebook/.
E.g. Pedro Canahuati, Keeping Passwords Secure, Facebook Newsroom(Mar. 21, 2019), https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/; Dunja Djudjic, Facebook Confirms That a Recent Password Leak Affected Millions of Instagram Users, DIY Photography(Apr. 21, 2019), https://www.diyphotography.net/facebook-confirms-that-a-recent-password-leak-affected-millions-of-instagram-users/.
See Pedro Canahuati, Keeping Passwords Secure, Facebook Newsroom(Mar. 21, 2019), https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/.
See e.g.Dunja Djudjic, Facebook Confirms That a Recent Password Leak Affected Millions of Instagram Users, DIY Photography(Apr. 21, 2019), https://www.diyphotography.net/facebook-confirms-that-a-recent-password-leak-affected-millions-of-instagram-users/.
See Lohrmann, supra note 10.
Image Source: https://www.theinquirer.net/inquirer/feature/2320371/2013-was-a-very-hacked-year