Monday, December 20, 2010
Part 2 of Liberty Coalition report recommends badly needed fixes to Hawaii’s privacy laws
The just-released Report on Hawaii Breaches, Part 2 is available here. Press release is here. The earlier Part 1 is available here.
The Liberty Coalition will hold a press conference on Monday, December 20th at 11:00 a.m. HST/ to summarize the report and take questions. If you found your name among those affected by the massive UH data spill (check at: nationalidwatch.org) you may want to join in.
Dial: (610) 214-0200, enter Conference Code: 863597#
The timing couldn’t be better—even as advocates and legislators are hard at work preparing bills to be introduced in the 2011 just one month from now, the Liberty Coalition has prepared and released a report which includes suggestions for measures that cold reduce Hawaii’s vulnerability to ID theft. The seven proposals in the report are:.
Proposal 1: Private Right of Action for Data Breach and Identity Theft Victims
Proposal 2: Require Breach Notifications Contain Useful Detail
Proposal 3: Legislative Auditor Evaluation Report
Proposal 4: Public Audits to Mandate Compliance with Promises and Standards
Proposal 5: Consumer and Victims’ Advocacy Organization
Proposal 6: Breach Victims’ Trust Account
Proposal 7: Apply Hawaii’s Unfair or Deceptive Acts and Practices Act to State Agencies which Perform Private Sector Services
The report includes a review of Hawaii’s privacy statutes and suggestions for amendment.
University of Hawaii fails to protect entrusted data
The report briefly recaps the earlier scathing criticism of data security practices in the state, focusing specifically on the majority offender, the University of Hawaii:
Part 1 of this report included a detailed chronology of all Hawaii breaches on record, since records have been kept in 2005. Since 2005, at least 479,000 Hawaii records have been breached, nearly one for every three Hawaii residents. The report found that the University of Hawaii (UH) is responsible for 54% of all reported breaches in Hawaii (259,000 records), more than all other Hawaii organizations combined. UH has also demonstrated a pattern of repetitive, promises to improve security after each breach, many of which remain unfulfilled.
Part 1 also found that Hawaii organizations do not have adequate market or legal incentives to keep personal information secure. Exacerbating this problem, Hawaii victims cannot know which breach caused identity fraud, cannot hold organizations accountable, or protect themselves.
Part 1 explored common systemic weaknesses which are not sufficiently addressed by Hawaii Law.
Hawaii’s laws are not working
The two reports taken together cry out for legislative remedy. For example, Hawaii’s notification laws are badly in need of repair, it states:
Lack of Information Leaves Victims Powerless: Even though Hawaii requires organizations to notify victims when breaches occur, the notifications fail to give victims sufficient information to understand their level of risk, and the actions they should take. Even well-intentioned organizations issue vague,
incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. And your credit report will never tell you where a thief got your social security number.
Hawaii’s Breach Notification Law Shows Decreasing Effectiveness: Breaches in Hawaii appear to be consistent with Verizon’s annual data breach report in conjunction with the U.S. Secret Service,10 issued in July, 2010. The report finds that most breaches “continue to be discovered by external parties and then only after a considerable amount of time,” and that most organizations “remain sluggish in detecting and responding to incidents.”
Breach Notification Laws are Not Working: According to James Van Dyke, a leading identify theft expert, “notification is not working. Consumers apparently do not understand that the data breach puts them at increased risk for other types of fraud. Notification may need to be more explicit about the possible types of fraud that may be perpetrated with the data exposed, and the possible steps the consumer can take for protection.”11 In addition, notwithstanding Hawaii’s breach notification law, the state seems to be experiencing an upswing in reported breaches.