Not a police priority
Vaas: Is that right? You would think that that would be our constitutional right, to get a police report on ourselves. Greenberg: The police departments basically down play these types of items as being not within the [category of] someones been shot at, someones broken into something, someones been hit by something. So theyre overwhelmed and theyve sort of had an unwillingness to issue police reports on this. The legislation in Massachusetts and in a number of other states allows you to get your police report, which you need.Greenberg: First, they need to put a breach notification in place. The thing that does vary from state to state is therere two different types of breach notifications. One is called risk based, which says that the commercial entity is allowed to make an assessment as to what they think the risk is of that breach resulting in unauthorized use of the citizens information. Therefore, there could be a breach, but because the risk is considered low, they may not have to report it. The language around that determination of that risk varies. The other type is an absolute one, which simply says you absolutely must notify it if any breach happens, even if you considered it to be very minimal risk. So states will vary in their implementation of that. Vaas: Well, I think it would be odd, you know, the notion of having a business self-identify the risk involved in its own breach. Greenberg: Right, its questionable. Getting back to your question on how it affects these businesses, well, it means theres an amount of due diligence that theyre expected to carry out. I will say that - outside of my current position at Unisys and in previous lives - I have witnessed entities stop investigating breaches because the more they learn the more notification they needed to do. And so that then falls into gray areas of interpretation. Thats one of the risk areas to the consumer, which is that the law is good and Massachusetts has done a good thing and these states have done a good thing. However, there are still ways to wiggle through this and avoid the problem. Not necessarily doing so in all forms legal, but in, you know... Vaas: Is it legal to initiate an investigation into a breach and then call it off because its... Greenberg: What basically happens is, you know, somebody on high makes the decision that says we have investigated the problem enough. We have accumulated enough information to assess this, the determination has been made and then they move forward. And so thats always the risk. From a commercial entity or government standpoint, to be responsible about this they will have internal policies which talk about full investigation of all data paths, all sources of information and, you know, basically have sign-off on that, accountable sign-off within the organization so that hand waving does not make its way through this. Instead theres a checklist that says, you know, have we fully investigated all forms of databases containing this information on the compromised machine? Vaas: Is that something that Unisys customers are following through on, or do you see a broad spectrum of people acting responsibly and then maybe less so? Greenberg: Well, in Unisys, our federal customers are actually very responsible on this. But they have the law on their side. Its more of being a governmental entity. The example I gave was not a Unisys customer. It was prior to my joining Unisys. I also want to point out one other risk to the consumer, which is that the notion that notification occurs is wonderful and good. Now, somebody calls you up today and says, "Hi, Im notifying you of this and Id like to give you the opportunity to freeze your report and do all of these things." Lets say youre in the state of Ohio. You might say, "Well, I heard that there was a breach." And therefore, you know, youre plugged in, so you start cooperating with that e-mail or that individual on the phone or even a letter. Theres a new form of fraud going on. Im calling the term notification fraud where entities are, criminals are, basically latching on to these announcements and then going out to people and taking advantage of the shock and catching their guard down and gathering, actually stealing their identity by telling them theyre providing them notification services.
Next Page: Scalable technologies.
Vaas: Tell me how businesses and retailers are being affected by legislation such as this.