Wednesday, June 27, 2007

CA, IN Consumers: Your Email Address is not PI

Two states - California and Indiana - recently enacted laws designed to better protect electronically-stored personal information gathered from consumers in these states.

There's only one problem: Neither state views an email address as PI (Personal Information.)

The ramifications of this were recently on display when a phishing scam targeted 30,000 students of the Indiana University Credit Union.

The penny dropped for Christopher Soghoian, a graduate PhD student at IU (and Facebook security issue blogger), when he received a phishing email claiming to be from the credit union at a email address that he had just created and was not available publicly via any search engines.

He immediately assumed, rightfully as it turned out, that IU Credit Union's email address list had been compromised, and contacted the credit union to find out why that hadn't notified him of the problem. The details of the lengths he had to go to for IU to admit their list of accounts had been compromised are reproduced here.

His initial suspicion - that the server had been hacked - turned out to be incorrect. But the discovery that any one logged into the machine could have potentially downloaded and sold the information wasn't exactly comforting either.

So why didn't IU let the students know of the problem?

As it turns out, like California's SB 1386, Indiana Code 4-1-11, which details the rules on security breaches, doesn't view an "email address" as "personal information". Here's the relevant section:

Indiana Code 4-1-11-3
"Personal information"
Sec. 3. (a) As used in this chapter, "personal information" means:
(1) an individual's:
(A) first name and last name; or
(B) first initial and last name; and
(2) at least one (1) of the following data elements:
(A) Social Security number.
(B) Driver's license number or identification card number.
(C) Account number, credit card number, debit card
number, security code, access code, or password of
an individual's financial account.
(b) The term does not include the following:
(1) The last four (4) digits of an individual's Social
Security number.
(2) Publicly available information that is lawfully made
available to the public from records of a federal agency
or local agency.

California's definition of "personal information", included in code SB 1386, defines PI as "an individual's first name or first initial and last name in combination with any one or more of the following, when either the name or data elements are not encrypted: (a) Social Security number; (b) driver's license number or California ID card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. "

Governments need to enact provisions requiring companies to also notify their customers in the event of an email breach. Email is the primary vector associated with online frauds, such as phishing and hoax emails. Virtually all identity fraud scams start with an email.

There are significant technical and commercial challenges involved - not the least of which involves the potential use of a compromised vector to notify the consumer of the breach - but that doesn't mean the technology isn't available to meet these challenges.

Technology usually rises to meet the expectations of lawmakers. Knowing your email address has been compromised would be possibly among the most useful of consumer notifications.

No comments: