Keeping your personal information private is, well, a losing battle. Companies can track your cellphone location even if you think you have blocked tracking. Companies can track locations you visit on the internet. And companies frequently say they value the trust you put in them with your personal information, though they may share it with mysterious “trusted partners.”
Then there are those times when data is outright stolen. As many as 5,000 city of Bend utility customers may have had their credit or debit card information taken. Code was apparently inserted into the software the city uses from its vendor CentralSquare, allowing the information to be copied. This wasn’t a Bend only thing — if that makes you feel better. It has apparently happened elsewhere with the vendor’s software.
The incident exposed to us some weaknesses of Oregon’s data breach notification law. State law basically requires “a business or state agency to notify any Oregon consumer whose personal information, as defined, was subject to a breach of security,” as the Oregon Department of Justice’s website says. “The law also requires that a sample copy of a breach notice sent to more than 250 Oregon consumers must also be provided to the Oregon Attorney General.”
That’s fine. But the information about breaches in Oregon that the department publishes on its website is not very useful. It lists the entity that reported the breach, when the breach occurred, when it reported the breach, when the breach was discovered, and when notice was provided to customers.
That’s fine, too. It’s not as useful as it could be. How many people may have a breach affected? What was the nature of the information released or taken? What were the entities, software or other factors involved? What is known about how it was done? No, we aren’t suggesting the state publish a how-to guide for hackers.
We emailed the Department of Justice about this issue and did not receive a response by our deadline.
Data breaches are, it seems, going to be part of life. Our understanding of them and ability to combat them are not helped as much as they could be by the information that the state publishes.