In fighting terrorism or fighting identity theft, the smart triple focus is on prevention of harm through good protection, detection and response. Chuck Todd just did a nice job of showing that foreign terrorism in the US is not principally a refugee problem; it is principally a visa problem:
Simply studying the harm enough to note that people with visas rather than refugees caused 9-11 may open some eyes. Likewise, with a little help below, LabMD and its progeny may open some eyes about how we can and must protect ourselves in the cyber-world.
The day after the LabMD decision, I wrote the post linked here because the whole world appeared to be ignoring the importance of that stunning decision. In the last week, even though hundreds of posts, alerts and articles about LabMD have been written, they and all of the media questions I am struggling now to answer still miss some of the most important ways in which the case may impact our lives. Many good pieces published get that the case will make case selection by the FTC more selective and more focused on cases in which harm is more probable, and that the case gives ammunition to FTC targets when harm is not probable. Because the pieces are written generally by FTC-watchers rather than people who manage the responses to breaches every day, however, one thing they don’t get is that the interpretation of the first prong of Section 5(n) of the FTC Act — “the act or practice causes or is likely to cause substantial injury to consumers” — as requiring a showing of probability of harm will force the FTC to begin to understand good detection and response.
As a breach coach, a manager of incident response, my job usually involves preventing or reducing harm when breaches have occurred. For that reason, I have always regarded all of the FTC’s expert testimony in LabMD as detached from the reality of what organizations can do in response to breaches, as based on the demonstrably false belief that breaches in themselves cause harm, when the reality is that well-orchestrated responses to breaches often prevent harm. The FTC has never wanted to know much about breach response, because in order to bring cases on the basis that security not deemed “reasonable” by the FTC itself “causes or is likely to cause substantial injury to consumers,” the FTC must ignore the intervening factor of breach response entirely. The weakness of all of the expert testimony in LabMD reveals an agency that has never had to make the case for that great leap before, or what I call the deflation of a castle of air. One of the many reasons that LabMD is a great decision is that it will force the FTC to grapple for the first time with whether a response to a breach has in fact prevented probable harm, even if the breach prior to that response was likely to cause harm.
This analysis is made every day by managers of incident response. Most state breach notification laws incorporate the concept of harm or its equivalent, and almost all of them use the “compromise” of the integrity, security or confidentiality of personal information as a notice trigger. That the latter concept is related to harm was shown by HHS in its final HIPAA breach rule, which created an intelligent four-part risk assessment based on the “compromise” language in the HITECH Act, requiring that an organization determine:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
Common sense, right? Not to the FTC. This week, I was astonished that when the State of Georgia foolishly sent 6 million SSNs and drivers’ license numbers out on 12 discs to twelve organizations, and then the Secretary of State foolishly sat on the issue for six days before being called out — a no-brainer, slam-dunk, easy incident response issue — and the local paper went to the guy who was in charge of the FTC’s expansion of its “unfairness” authority in the data security area, this is what the paper got back:
“This is a very serious breach involving a huge number of Georgia residents,” Vladeck said in an email. “The types of information released — especially SSNs and driver license records (which generally have addresses, dates of birth, pictures and other uniquely identifying information) — are very, very valuable to identity thieves.”
Worried that my state might actually listen to this nonsense, I wrote a simple and emphatic post giving the State self-evident, elementary advice on how to close the issue up and prevent harm, and that is exactly what the State apparently did. When the FTC is required to show probability of harm, even the experts from the FTC may ask the question about how to prevent harm with effective response before presuming harm.
A sense of how to assess probability of harm and prevent harm is also absent from many journalists’ questions. One question to which I am responding that I find troubling is, “How do you think this case will affect the FTC’s ability to pursue cases where there is no criminal intent involved?” Criminal intent is neither necessary to probability of harm, nor would criminal intent, if proven, necessarily imply probability of harm. Good breach response prevents harm regularly in cases involving clear criminal intent. All good breach risk assessment involves assessment of the circumstances of the breach, including – as just one factor – what is known or reasonably inferred regarding the purpose of the breach (which of course is not the same thing as proving criminal intent). For those who feel uncomfortable with such analysis, I commend to you the four-part HIPAA risk assessment above as a carefully-crafted yet simple way of looking at incident risk.
Harm prevention and mitigation in incident response is a practical activity that often involves the coordination of legal, technical and communicative activities. A resilient organization is good not only at protection, but detection and response, and regulation for resilience does not punish organizations for detecting breaches, but for failure to respond effectively to breaches so as to prevent harm. With LabMD‘s help in deflating castles of air, we can help the FTC focus on good breach response as a critical part of reasonable security.