The California Department of Insurance (CDI) fixed a vulnerability found on interactive.web.insurance.ca.gov on November 9, 2018 — the same day it was reported to the department by Indian firm Banbreach. The site had been hosting an Oracle reporting server that, according to Banbreach’s observations, had generated more than 24,450 reports in a 24-hour period.
Banbreach received an acknowledgement of its vulnerability report and a request for assurances that it would not misuse the data it had found. But Banbreach could not find, and has not found, any evidence of a public disclosure of the incident by the Department.
The Indian firm raised the matter with DataBreaches.net, which published its own observations yesterday. The post points out that “thousands — or even, perhaps, millions — of people” could have had personal data — including their social security number — exposed to anyone with internet access.
DataBreaches.net could similarly find no evidence of public disclosure by CDI. However, after contacting CDI, it received a copy of a notification letter sent out by CDI on December 14, 2018 — more than a month after learning about the breach. CDI also told DataBreaches that the notification would not appear on the state’s web site because “the incident did not affect the number of persons that would otherwise generate such a requirement. (See Cal. Civ. Code section 1798.29.)”
This raises an important point for and about privacy in the U.S. Almost all current state-level privacy laws require public disclosure when the affected persons exceed a particular number, but allow the affected party to decide on how many people were indeed affected.
The disclosure notice sent out by CDI states, “An internal investigation revealed that, from the time this vulnerability began until the date CDI corrected the error, the only member of the public that accessed these reports was the cybersecurity business that discovered and reported the vulnerability to CDI.”
There is no suggestion that this statement was made in anything but good faith. Nevertheless, it demonstrates a loophole in the disclosure requirements of many state-level privacy laws. Where the number of affected people is specified by the breached firm, less scrupulous companies might be tempted to falsely minimize the extent of the breach to avoid the necessity of going public.
In this case, where the State of California is leading the way with its more stringent California Consumer Protection Act (CCPA) law coming into force next year, it would be reasonable to expect a government department to go beyond the letter of existing laws.
“This,” points out Abhishek Iyer, technical marketing manager at Demisto, “is one of the common loopholes inherent in most U.S. state breach notification laws… In every case, the notification requirement is contingent on the number of people affected (different states have different number thresholds). The loophole is that the number of affected people is usually determined by the company in concert with law enforcement officials. I’m paraphrasing here, but these laws usually state that if the company thinks the breach isn’t likely to cause serious harm, they don’t need to notify affected users.”
Mukul Kumar, CISO and VP of Cyber Practice at Cavirin, adds, “The CCPA is now planned to take effect in 2020, and there are still changes being made. I’d assume that datapoints such as this will help create an even more robust regulation… I’d hope that there will be a robust baseline in place for notifications across all sectors.”
Ken Underhill, Master Instructor at Cybrary, warns that U.S. laws shouldn’t become too strict. He points out that by removing the restriction on individuals waiting for the breached company to notify the attorney general before allowing a civil action may improve notifications. “We may see this help improve breach notification, if companies (and public entities) know they may face swifter civil litigation over breaches. In the past, things have been slow with governmental red tape.”
However, he adds, “I do think not setting a criterion for number of users affected can show weakness in CCPA; however, we have to ask ourselves if companies should have to incur notification costs of small breaches (<10 users). We have to find the best middle ground.”
Tom Kellermann, chief cybersecurity officer at Carbon Black, takes an opposing view. “Under the CCPA, [CDI] would have had to remediate the Oracle vulnerability in a timely fashion and replace the social security numbers with another identifier or alias. I do not feel that size of the exposure is relevant. An organization should report regardless.”
Increasingly strict U.S. privacy and notification laws should be seen against the backdrop of Europe’s wide-ranging and far-reaching General Data Protection Regulation (GDPR). While this has placed strict requirements on how companies holding EU residents’ data handle that data, the effect has been improved company security and better safeguards for users. “Thanks to the GDPR,” explains Nathan Wenzler, senior director of cybersecurity at Moss Adams, “we’ve already seen a massive uptick within the EU of organizations putting in place many new security measures and privacy controls to help protect user information and to provide more control directly to the individual for how their data is used.”
He believes that GDPR is becoming a blueprint for U.S. privacy laws. “The CCPA and similar legislation out of New York are steps toward similar protective measures… However, more legislation is on the table, including at the federal level that will more closely mimic what the EU has adopted with the GDPR. That means organizations will be required to be much more stringent in how they protect user information, how quickly they must disclose when a user’s data has been exposed to any unauthorized party within a short, specific timeframe (commonly said to be 3 days, like the GDPR requires) and how these organizations must respond to oversight to ensure these controls are in place.”
He believes that organizations, and that would include CDI, should be preparing to conform with what will become required rather than what is currently required. “Every organization that houses personal information of any type would be wise to get proactive about these things and start putting in place the kind of privacy and disclosure programs that their customers and users are already wanting, and regulations will soon be requiring.”
That will mean closing the loophole that currently exists. “In their current form,” suggests Iyer, “US state breach notification laws are robust (on paper) but have clear opportunities for workarounds, which definitely do not align with their intended purpose.”
One possible solution, he adds, would be “to institute a neutral third-party (either from the government’s side or in a regulatory capacity) that receives these breach notifications and makes a decision about their seriousness.”
In the meantime, the loophole continues.