Thousands of US companies were hacked last year, and each time people's private data was taken. Was yours? You may not know because it's hard to keep track, much less do anything about it when there are so many incidents all the time. But if the data collected on breaches in the US were available to you, it would be a lot easier to check whether you've interacted with compromised businesses and institutions. That data exists. In fact, nearly every US state (47 to be exact) requires companies to disclose when a breach affects their citizens, and most track this data internally. That data is usually a public records request away from you, the consumer, who could actually use it to inform your digital habits. But, recently a small group of states have decided to make breach information freely available to the public. This week, Massachusetts joined them.
Breaches endanger valuable data for people and corporations alike---financial details, identity data, and trade secrets. But reliable sources are scarce to help people track incidents and determine the best ways to defend themselves or their organizations. Many are unaware of the risks at all. Transparent state records certainly do not resolve these issues, but can act as a consistent source of reliable data. Posting easily available public records also provides an incentive for companies to proactively prioritize cybersecurity so they don't have to endure the embarrassment of being listed.
Massachusetts joins California, Indiana, and Washington in making this data public. The US Department of Health and Human Services has also collected and publicly posted information about patient data breaches since 2009. The DHH data collection is often referred to colloquially as the "Wall of Shame." For Massachusetts, the decision is a way to increase transparency.
Massachusetts law requires that any breached entity notify each impacted citizen in addition to the state government. This covers any US company, not just those based in the state; if a resident of Massachusetts has their data compromised, the company must inform them and the state government. It's been tracking that data since 2007. It's releasing it now so you track trends and avoid insecure interactions. Massachusetts says it plans to update its breach data every month. The state doesn't publish individuals' data, but does offer other indicators like what types of information was breached (troves of social security numbers, credit card numbers, etc.). The data sets also don't include breaches---like the recently disclosed Yahoo hack---that only compromise user information like passwords and security questions, since Massachusetts doesn't classify that data as "personal identifying information."
"We thought it was a good idea for the public to be able to see who’s being breached," says Chris Goetcheus, a spokesperson for the Massachusetts Office of Consumer Affairs and Business Regulation. "It’s a way that they can monitor their accounts with different businesses or companies."
The big question, though, is whether citizens and businesses will bother checking the notifications. "It could be helpful to consumers if they took advantage of it," says Christin McMeley, chair of the privacy and security practice at the business and litigation law firm Davis Wright Tremaine. (The firm also maintains an interactive tool that tracks data breach notification laws in each US state.) These state initiatives follow similar consumer tools and services put out by private citizens, such as Have I Been Pwned and LeakedSource, which let you check if your data is in various leaked troves. Unlike a LeakedSource-esque service, run by an anonymous, unknown entity, government data is straightforward and reliable.
Publicly releasing this kind of data is not without risk. Better access to information about breaches could fuel cyber criminals as they search for victims and even result in hackers doubling down on targets whose defenses have already been weakened. "As a security professional [these databases mean] I can go out and see which states have more breaches than others and I can do a lot of research, so that’s awesome," says Jared DeMott, chief technical officer of the managed security company Binary Defense Systems and founder of the security consultancy VDA Labs. "The hacker in me wonders how it could be abused, though. It might even give me a starting point if I want to own somebody." But given that much of the current cybersecurity predicament stems from lack of awareness and access to information, DeMott says that on balance, "I always lean on the side of transparency."
Reducing the barriers to accessing data breach information is only an incremental step toward public awareness about the severity and importance of breaches. And three states have no breach disclosure laws at all much less easy access to information--we're looking at you New Mexico, South Dakota, and Alabama. But if you're looking for a new dentist and your state offers a way to check for breaches, you might as well choose a practitioner who has a clean cybersecurity record.
