When Chris Soghoian requested public records of a cybersecurity breach
at Indiana University a few years ago, he knew he was onto something.
A hacker in China had obtained thousands of campus e-mail addresses —
along with personal information.
Then, last summer, Soghoian found a breach in Astroglide's Web site,
allowing him to find information on 200,000-plus people who ordered a
free sample of the personal lubricant. That was enough to convince him
there was a problem.
Today, a bill Soghoian co-wrote with state Rep. Matt Pierce will be up
for a vote in an Indiana Senate subcommittee. But late Monday,
Soghoian got word that the bill is expected to be stripped to its
core, at the request of lobbyists.
Soghoian — who gained national attention when he posted directions on
how to create fake airline boarding passes on his Web site last year —
said he was disappointed to hear that news about the bill, but still
feels his original intent is worth pursuing.
"On the backs of both (the IU and Astroglide) issues, I started
speaking with Matt Pierce, and told him the existing legislation
wasn't working," Soghoian said.
As it stands now, Indiana law requires an organization to send a
letter to its regulating agency in the event any of its
cyber-infrastructure is breached. If a telephone company gets hacked
and personal data are stolen, that company has to notify its
communications agency.
"The law was well-intentioned," Soghoian said, "but there's some
fairly significant loopholes in it."
The new bill, as originally written, would require Indiana's attorney
general's office to publish word of any security breach on its Web
site.
So if your Social Security number was hacked from a cable television
provider, that company would have to alert the AG's office, which
would have to post a notice online.
"I realized one of the significant issues facing consumers in this
state was the lack of a central reporting station," Soghoian said.
"There's no real central place where they can go."
Soghoian studied New Hampshire's approach to the problem, and modeled
the bill after its policy.
"They have a single Web site where everything gets reported," he said.
"I thought, 'Wow, it'd be really cool if we could do that.'"
With the help of Pierce, D-Bloomington, and IU cyber security expert
Fred Cate, the bill was submitted. It passed in the Indiana House of
Representatives, 94-0.
Adopting stricter ways of notifying consumers about security breaches
would reduce the chance for identity theft, Soghoian believes. The
bill also would require businesses to adopt the "industry standard"
data encryption technology to protect electronic data from hackers.
But large companies opposed the idea, saying that posting every breach
could confuse consumers and make the companies look bad.
"The bill didn't have any opposition in the House," Pierce said, "but
once it got to the Senate, suddenly Microsoft and the credit bureaus
and Verizon all started showing up and didn't particularly like the
idea of having their mistakes on a Web site."
But a representative from the Indiana Public Interest Research Group
said that's exactly the point.
"If companies know that their sloppy mistakes putting consumers at
risk of identity theft will be exposed on the Attorney General's
Office Web site, they'll make fewer mistakes," said IU's INPIRG campus
coordinator Kasey Swanson.
Monday, Soghoian got an e-mail from Pierce saying the bill will
probably be weakened.
"(Pierce) told me the bill will be stripped down to completely next to
nothing," Soghoian said. "It seems like the special interests who flew
in from (Washington,) D.C., might have their way after all. It's
pretty depressing."
Pierce said the bill will likely be narrowed down to only include the
laptop provision, which states that a stolen laptop or other portable
device will only be considered to not be a breach if the data
contained on it is encrypted — not just password-protected.
"If that's what it takes to keep the bill moving, it may give me the
opportunity to object (to the removal of other provisions) and take it
to the conference committee," Pierce said.
-- by James Boyd
