Tuesday, 13 January 2015

Obama "data breach" bill ignores sensitivity of travel info

Today President Obama released the text of his proposal for a "National Data Breach Notification Standard".

The point of the bill is to create a nationally-standard requirement for businesses to notify consumers whenever "sensitive" personal or account information is improperly disclosed.

The President's bill is only the starting point for what will likely be (and should be) vigorous debate in Congress and by privacy advocates, data security experts, and the public.

But I want to point out two key flaws in the first draft proposed by the President, both of which pertain especially to travel, which could and should be fixed by fairly simple amendments:

First, the bill appears to have a loophole that could leave transportation common carriers -- airlines, railroads, bus companies, etc. -- exempt from its requirements. As written, the bill applies only to companies subject to the Federal Trade Commission (FTC) Act, which doesn't generally apply to communication or transportation common carriers or some financial services providers. The bill includes special provisions for coordination between the FTC and the FCC (for communications carriers) and the Consumer Financial Protection Bureau (for financial services providers). But it clearly needs to include a similar provision for coordination with the Department of Transportation (DOT) for issues pertaining to transportation carriers, over which the DOT and not the FTC currently has exclusive jurisdiction for consumer protection.

Second, perhaps more significantly, the bill omits location information from its definition of "sensitive" personal information, the leakage of which triggers notification requirements.

It appears that the bill wrongly conceives of identity theft and consequent financial loss as the sole, or at least the most significant, threat model for breaches of personal data security.

But that leaves out the grave, often violent (and not infrequently fatal) risks of stalking and harassment, primarily but not exclusively in the context of domestic abuse.

Victims of stalking, harassment, and domestic violence may be much more gravely endangered by involuntary disclosure of information about their location -- whether from cellphone traces or airline reservations -- than by disclosure of any of their financial records or account information.

There has been growing recognition that location information (including by definition travel data) is one of the key categories of especially sensitive and personally revealing data, along with health and financial information. But that insight didn't make it into the President's proposal, which urgently needs to be amended to explicitly define any information about the physical location of an individual person as being, per se, "sensitive" personal information.

This isn't a hypothetical issue.

Not long ago I accidentally discovered a major public leak, which was still ongoing until I reported it to the responsible company, of personal location tracking logs stored in conjunction with use of a "location-aware" smartphone app and associated Web-based service. I'll have more details once the service provider responsible for the leak has had a chance to mitigate the damage and disclose it to users. It appears, unfortunately, that the applicable state data breach notification laws currently have the same defect as President Obama's bill, and omit location data from the categories of personal data leakage of which triggers their notice requirements.

Link | Posted by Edward on Tuesday, 13 January 2015, 21:38 ( 9:38 PM) | TrackBack (0)
Comments
Post a comment









Save personal info as cookie?