Pages

Saturday, July 10, 2010

What Blizzard Doesn't Want You To Know - Part 3

Argument #2: Blizzard is required by federal and state law to notify of data breaches.

This was a pretty common reply actually and I was a little bit surprised that people believed this. A quick investigation would have revealed the truth. But that's what this series is all about: awareness.

You see, data breach laws vary from state to state and some states don't even have legislation at the moment.

There's also no federal laws that regulate data breach notification. However, there are some that regulate the type of information that can be collected and levels of security recommended (really it's just helpful guidance). Since data breach laws in the US vary from state-to-state (if it has a law at all), each law may be drastically different in regards to what is classified as a breach, fines, reporting, what needs to be notified, who is notified, governing bodies, etc. As you can imagine some state laws are more flexible than others. And that's only if the data is physically located in the US.

Consider the number of corporations that outsource or offshore their operations overseas. Due to their location, they are under no obligation to report any data breaches that may occur. Here are some companies that outsource/offshore by the way: IBM, Microsoft, Oracle, Cisco, HP, Dell, Gateway, AT&T Wireless, Telus, Bell Canada, GE, and wait for it.. Blizzard.

Under current CA State Law, Blizzard would typically only need to notify the single person affected (no mass announcements) and that's only if they confirm without a doubt that the individual's information was indeed breached. HOWEVER, Blizzard is under no obligation or law that requires them to notify anyone.

The most important data breach component is the “trigger mechanism”. In California, the obligation to notify an individual of a security breach is triggered in the likelihood that the breach will result in a “serious harm” or involves a “serious risk”. The threshold of “serious harm” or “serious risk” is an external determination.

It is the internal organization itself, however, that determines what compromises a “serious harm” or “serious risk”. There is no external body that performs this function. Additionally, there is no requirement to report to an overseeing body nor is there sanction for failing to notify individuals of a security breach.

These risk assessments are determined internally, and there is no external body or even the requirement to report to said external body. A WoW Account being stolen would not be classified under "serious harm" or "serious risk" for the individual involved. Hence, Blizzard is exempt from data breach notifications. Even credit card theft would not be a trigger due to the low risk involved to the victim (unlike healthcare information.)

Data breach notification laws were primarily focused on the health care industry, government and educational sectors. There are other private organizations that report breaches, but it all depends on the type of data they keep. If you're interested in data breach announcements, check out Google.com/News -> Search for "data breach".

Now, if something
very bad were to happen, then yes - a large announcement would be made. The information would leak eventually so it's in the corporation's best interest as it would look very bad if they tried to hide the fact that some 200,000 accounts were breached. However, 50-200 account breaches per week is negligible and an official announcement is unnecessary and not required by law.

To summarize, under existing law Blizzard is under no obligation to alert the public, or even the individual themselves, in the event of an internal or external account breaches.

(Other Sources:
Senate Bill 1386, Senate Bill 1166, Federal Information Security and Data Breach Notification Laws, Do Data Breach Disclosure Laws Reduce Identity Theft?)

Addendum:

These sources also provided some interesting information on the subject of data breaches (identity theft) and a comparison of keylogging/phishing versus internal theft.

Identity Theft Causes (Internal Employee vs. External Keyloggers/Phishing/etc) From 3 Different Research Groups


Click here to read the rest of the series.