Are data breach laws good policy?
This week Indiana passed a new data breach and notification law, which closes some loopholes in the previous law. Generally speaking, I think that's a good thing.
But what worries me about the Indiana law, as I read it (and IANAL), is that if I you, gentle reader, happen to live in Indiana and post your private information such as your name and social security number as a comment to my blog, then I could be in violation of the breach law - even though I never asked you to post it. (Or depending on how a court interprets the terms of the agreement between the individual and Blogger, it might be Blogger that would be in violation.) Simply the presence of personal information, even if it was never requested by the owner of a site, can put that site at risk.
This could obviously impact places like LinkedIn or VisualCV, where people routinely post some types of information that might be considered private (employment and education history), as well as the more obvious sites like MySpace and Facebook. If a user of LinkedIn decides to aid their job search by posting their SSN and driver's license number (two of the protected types of personal information), and then someone else copies the data from that site, is LinkedIn at risk? Even though their terms of service don't explicitly say "don't post personal data, stupid", most people would understand that - and it would be hard to say such disclosure would be a "breach" since LinkedIn pages are public, but would it come under the law? (LinkedIn's user agreement says you may not "post content in fields that aren’t intended for that content. Example: Putting an address in a name or title field" - but would putting your SSN be a violation of those terms?)
It's an interpretation that wouldn't make a lot of common sense, but some lawyers specialize in lawsuits against deep-pocketed targets like LinkedIn.
So to me, the problem with the law is that the site holding the data doesn't even need to ask for the data in order for it to be at risk of violating the law.
But what worries me about the Indiana law, as I read it (and IANAL), is that if I you, gentle reader, happen to live in Indiana and post your private information such as your name and social security number as a comment to my blog, then I could be in violation of the breach law - even though I never asked you to post it. (Or depending on how a court interprets the terms of the agreement between the individual and Blogger, it might be Blogger that would be in violation.) Simply the presence of personal information, even if it was never requested by the owner of a site, can put that site at risk.
This could obviously impact places like LinkedIn or VisualCV, where people routinely post some types of information that might be considered private (employment and education history), as well as the more obvious sites like MySpace and Facebook. If a user of LinkedIn decides to aid their job search by posting their SSN and driver's license number (two of the protected types of personal information), and then someone else copies the data from that site, is LinkedIn at risk? Even though their terms of service don't explicitly say "don't post personal data, stupid", most people would understand that - and it would be hard to say such disclosure would be a "breach" since LinkedIn pages are public, but would it come under the law? (LinkedIn's user agreement says you may not "post content in fields that aren’t intended for that content. Example: Putting an address in a name or title field" - but would putting your SSN be a violation of those terms?)
It's an interpretation that wouldn't make a lot of common sense, but some lawyers specialize in lawsuits against deep-pocketed targets like LinkedIn.
So to me, the problem with the law is that the site holding the data doesn't even need to ask for the data in order for it to be at risk of violating the law.