Response to data protection white paper — breach notification

This is the response I submitted in response to questions on “private data breach notification (Chapter IV, Part 2B)”

Before we get my response, let’s agree on what “personal data” is.

Here’s EU’s definition:

“personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

The US uses PII (personal identifiable information), which is similar, but slightly narrower in scope. This is how NIST defines it:

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc”.

The EU definition’s broad scope makes it a good starting point. For the purposes of this response, let’s go with the EU’s definition

1.What are your views in relation to the above?
See response to #6

2. How should a personal data breach be defined?

A personal data breach should be defined as an event where an unauthorized actor gets access (read-only or read-write), temporarily or permanently to an individual’s personal data.

Additional details:

This means, if Confidentiality (un-authorized read access) or Integrity (un-authorized write access) of personal data is compromised, it’s certainly a breach.

Availability is trickier. For instance, if an online banking website is down due to a Denial of Service attack, users cannot access their personal data. This does not mean someone else has unauthorized access to data. On the other hand, it could also be looked at as an adversary imposing a “lock” on your personal data. For example: If you have locked your Aadhar biometrics and need to unlock it for a particular authentication, but the website is down, you are losing the ability to use your data. Would be consider that a “data breach”?

Given the complexities involved, it may be best to leave out “Availability” from the equation. As long as a security incident leading to lack of Availability does not also lead to a loss of Confidentiality or Integrity*, they should be considered out of scope for this policy.

*Example of a attack which leads to a lack of Availability and Confidentiality would be “Attack Takeovers” followed by a password update, which are common in the e-commerce industry (e.g.: https://www.darkreading.com/endpoint/anatomy-of-an-account-takeover-attack/a/d-id/1324409?)

3. When should personal data breach be notified to the authority and to the affected individuals?

It’s safe to assume that notifying an individual about a breach is equivalent to making the breach “public”. Given the complexities involved in responding to a data breach, a one-size-fits-all “deadline” for reporting breaches to affected individuals will make it hard for entities to deal with the breach effectively. However, notifying the authorities do not carry such risks. Hence, the best approach would be to have a 5-day deadline for entities to report a breach to the authorities, once the attack is first detected. As part of the report/notification, they should commit to a reasonable timeline to inform affected individuals and provide explanation for their decision. The authorities should have the right to challenge that timeline.

Additional Details:

For the above policy to work, it is important for the concerned authority to trustworthy. This includes establishing a secure communication channel with the reporting entity (for e.g.: CERT-IN currently uses insecure mechanisms such as fax, email without PGP etc. to request breach notification), ensuring no “leaks” occur to the media etc.

4.What are the circumstances in which data breaches must be informed to individuals?

Anytime “personal data” is accessed by an unauthorized user, a notification should be sent to said user. To make compliance easier, the data protection authority should publish a list of data types which constitute personal data.

Here’s a starting list of the kinds of data that can be considered personal data. This list should be periodically reviewed and updated. Borrowing from the California law, no reporting is needed if the leaked data is securely encrypted and hence unusable to the adversary

• Combination of first name, last name, age, phone number and physical address
• Government issued unique identifier: Aadhar number, PAN, Voter ID number, Drivers license number etc.
• Banking information: Customer Relation Number, Debit/Card number, Account Number, Account number, Account balance information etc.
• Authentication information: Passwords in clear-text
• Other “linked” identifiers: This is defined as information which can be used to get further information about a user. For example: Insurance number, patient records in hospitals, vehicle registration details etc.
• Data collected from mobile devices: A special list is required for mobile app developers, given the data given the nature and size of the data collected. Any data processed or stored by the app should be part of the list. Example: SMS, location history, Phone contacts etc.

5. What details should an breach notification addressed to an individual contain?

The notice should clearly state that the notification is about a data breach . Further it should contain details about the type of data breached, the nature of the breach itself (minimal technical details should be provided, in a language which can be understood by a reasonably informed audience), timelines of when the data may have been leaked and provide contact information for further correspondence(should include e-mail address and and Indian telephone number ). Finally, the reporting company should consider providing information about what measures the user can take to limit the damage from the breach, for example: change password if credentials are compromised. (additional details in the answer to #1).

6. Are there any alternative views in relation to the above, others than the ones discussed above?

There are 3 other areas the committee should consider as we draft the breach notification law:

a. Enabling the creation of a market for monitoring service: Such a service would provide alerts to individual if their personal data showed up in questionable locations (e.g.: the Darkweb). Apart from allowing individuals to monitor the usage of their private data (for a fee, of course), it also provides an opportunity for a breached entity to go over and beyond to help affected users recover from a breach. For example, a bank can offer to pay for these services to all victims of a breach which led to credit card data being compromised. It’s best if private players are invited to create such services, with some regulation from a data protection agency.

b. Public notification of breaches: A particular point from the draft caught my attention: “Reporting to media might put significant burdens on small companies. This option should be carefully weighed. Depending upon the nature of the breach, magnitude of the breach and to whom the notification is addressed, the format of the notification has to be adapted.”
To address this valid concern, the data protection agency should plan to create a broadcast mechanism for companies to publish breach information. Note: This is different from reporting the breach to the authorities.
For example: A bulletin board on a government website can be created. The content of each update should come directly from the breached entity. This will make sure there is a credible source for all breaches which need to be made public. It also makes it easier for media houses to track breaches and report on relevant incidents. Such a mechanism does not stop the breached entity from also reporting to the media about the breach. However, it does make it easier for smaller companies to comply with the laws of the land.

c. Breach of Biometric data: Following a breach, most kinds of data can be protected by simply making it void and getting a new one. Credit cards, Drivers license etc. are examples of such data. There are others where it is hard to replace a breached asset. PAN and Aadhar numbers (not biometrics) are a good example. While, today it is not possible to simply get a new PAN , the agency issuing PANs could easily come up with such a scheme (and this should be encouraged). However, the most dangerous category is when Biometric data leaks. For example, if — hypothetically — your Aadhar fingerprint leaks, there is no way to get a “new” fingerprint. A larger debate is necessary on appropriate responses to incidents where Biometrics are leaked. At this point, it appears that the best course of action would be to recommend moving away from Biometrics as authentication information.