The National Academies Press

Currently Skimming:

Concluding Plenary Discussion
Pages 37-44

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 37... ... Participants described examples of harms to individuals that include, among other possibilities, identity theft, the exposure of financial and medical information, damage to personal reputation, endangerment of personal safety, and psychological harms related to fear, loss of trust, and inconvenience. Several noted that data breaches have repercussions not just for individuals, but also for business practices and trade secrets, the economy, and national security. Read the entire page →
From page 38... ... Apart from Not everyone is special cases like Ashley Madison, he contended that disclosure of identifying information does not constitute a significant equally equipped harm. In his presentation, James Harvey, Alston & Bird, sug gested that having a credit card number stolen may not in to understand and itself constitute tangible loss if the consumer does not have to appropriately respond pay for any fraudulent charges and only has to have the credit card replaced. Read the entire page →
From page 39... ... For example, he said, instead of designing processors "where every device driver is one bug away from compromising the whole device," software architectures need to be built so that some portions of data security stay intact even in the face of inevitable human error on the part of developers. Steve Lipner built on these themes. Read the entire page →
From page 40... ... DATA BREACH REMEDIATION Perhaps more than on any other issue, workshop attendees expressed broad agreement that current remediation measures are insufficient to address the harms caused by today's data breaches. Credit monitoring is the overwhelmingly predominant remediation, a measure that many attendees viewed as not only inadequate protection against financial and identity theft -- since it can only help victims detect identity theft but not prevent that theft from occurring -- but completely inappropriate for a wide variety of other types of harms that can result from data breaches. Read the entire page →
From page 41... ... In terms of describing harms, designing remediation, and assigning liability, Mulligan posited that some types of information may need to be considered under the legal standard of strict liability because there is no way for a victim to fully recover from the repercussions of the breach. She cited as an example the Ashley Madison breach, which she said could be viewed as the equivalent of "an inherently dangerous product." She noted that in that case, the company had actually encrypted all of its customers' financial data, but the financial information did not constitute the totality of the sensitive information they were sitting on. Read the entire page →
From page 42... ... MECHANISMS FOR CHANGE Given the general sense among attendees that the current information security frame work has not been effective at preventing, deterring, or adequately remediating data breaches, participants explored how the situation could be improved. In her closing com ments, Mulligan noted that while there has been "a lot of money changing hands" and many lawyers and insurance companies getting involved in addressing data breaches, there is still a sense that there hasn't been much progress on the day-to-day protection of information. Read the entire page →
From page 43... ... Setting Standards Bob Belair, Arnall Golden Gregory, LLP, noted that while workshop attendees expressed widespread agreement that reforms are needed to better address data breaches -- for example, "as to what standards folks that are holding data ought to adhere to, what the process ought to be in terms of auditing and compliance with the policies, and then what happens if there is a breach and remediation" -- he expressed doubts that these reforms would come in the form of federal legislation. The question then becomes, What is the right venue for these changes? Read the entire page →
From page 44... ... Lampson also noted that a consensus study from the Academies could help bring clarity on data breach harms, prevention, and remediation and help to establish standards. "I think it has been clear from this discussion that it would be good for the National Academies to undertake a study that can produce recommendations on this subject," he said. Read the entire page →

From page 37...

... Participants described examples of harms to individuals that include, among other possibilities, identity theft, the exposure of financial and medical information, damage to personal reputation, endangerment of personal safety, and psychological harms related to fear, loss of trust, and inconvenience. Several noted that data breaches have repercussions not just for individuals, but also for business practices and trade secrets, the economy, and national security.

Read the entire page →

From page 38...

... Apart from Not everyone is special cases like Ashley Madison, he contended that disclosure of identifying information does not constitute a significant equally equipped harm. In his presentation, James Harvey, Alston & Bird, sug gested that having a credit card number stolen may not in to understand and itself constitute tangible loss if the consumer does not have to appropriately respond pay for any fraudulent charges and only has to have the credit card replaced.

Read the entire page →

From page 39...

... For example, he said, instead of designing processors "where every device driver is one bug away from compromising the whole device," software architectures need to be built so that some portions of data security stay intact even in the face of inevitable human error on the part of developers. Steve Lipner built on these themes.

Read the entire page →

From page 40...

... DATA BREACH REMEDIATION Perhaps more than on any other issue, workshop attendees expressed broad agreement that current remediation measures are insufficient to address the harms caused by today's data breaches. Credit monitoring is the overwhelmingly predominant remediation, a measure that many attendees viewed as not only inadequate protection against financial and identity theft -- since it can only help victims detect identity theft but not prevent that theft from occurring -- but completely inappropriate for a wide variety of other types of harms that can result from data breaches.

Read the entire page →

From page 41...

... In terms of describing harms, designing remediation, and assigning liability, Mulligan posited that some types of information may need to be considered under the legal standard of strict liability because there is no way for a victim to fully recover from the repercussions of the breach. She cited as an example the Ashley Madison breach, which she said could be viewed as the equivalent of "an inherently dangerous product." She noted that in that case, the company had actually encrypted all of its customers' financial data, but the financial information did not constitute the totality of the sensitive information they were sitting on.

Read the entire page →

From page 42...

... MECHANISMS FOR CHANGE Given the general sense among attendees that the current information security frame work has not been effective at preventing, deterring, or adequately remediating data breaches, participants explored how the situation could be improved. In her closing com ments, Mulligan noted that while there has been "a lot of money changing hands" and many lawyers and insurance companies getting involved in addressing data breaches, there is still a sense that there hasn't been much progress on the day-to-day protection of information.

Read the entire page →

From page 43...

... Setting Standards Bob Belair, Arnall Golden Gregory, LLP, noted that while workshop attendees expressed widespread agreement that reforms are needed to better address data breaches -- for example, "as to what standards folks that are holding data ought to adhere to, what the process ought to be in terms of auditing and compliance with the policies, and then what happens if there is a breach and remediation" -- he expressed doubts that these reforms would come in the form of federal legislation. The question then becomes, What is the right venue for these changes?

Read the entire page →

From page 44...

... Lampson also noted that a consensus study from the Academies could help bring clarity on data breach harms, prevention, and remediation and help to establish standards. "I think it has been clear from this discussion that it would be good for the National Academies to undertake a study that can produce recommendations on this subject," he said.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

Concluding Plenary Discussion Pages 37-44

Concluding Plenary Discussion
Pages 37-44