Transparency May Be Required


Apple’s Developer Site was hacked. All Things D reports; Apple Developer Center Was Hacked; Site Remains Down While Company Overhauls Security
In their notification, Apple notes that they are letting developers know about this attack “in the spirit of transparency.”
Without knowing more information about what information was obtained through the data breach incident, there are a number of scenarios where state laws would require that Apple notify its users that their personal information may have been accessed by an unauthorized third party.
In the US, each of the fifty states (as well as DC and Puerto Rico) has its own data breach notification law. Compliance is based not on the state in which an entity that stores personal information actually resides or stores that information, but, because we consider privacy to be a personal right, it is based on the home state of the person whose data is being stored.
Most states define personal information to include:

An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state- issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information. Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

But, some states have a broader definition of personal information than this. Some states require that the state is notified in case of a data breach that affects a certain number of residents. Some states offer a safe harbor from notification if personal information is encrypted and not access in an unencrypted format.
BakerHostetler has a straightforward and comprehensive summaries of data breach notification laws Data Breach Charts. With each of the states having a different requirement, Apple’s notice to its developers wasn’t solely in the spirit of transparency, but also in the spirit of legal compliance.
A security researcher claims to have accessed secure Apple data after filing a bug report to encourage Apple to fix the hole that he found. iMore reports Security researcher claims to have reported bugs shortly before Apple took down its developer portal. Whether or not the data was leaked by a white hat hacker instead of a black hat hacker, that doesn’t affect the fact that personal data was delivered to a third party, which requires the company storing the personal data to report it to the individuals, and depending on the number of people affected, also to certain states.
Last week, the House Energy & Commerce Committee Subcommittee on Commerce, Manufacturing, and Trade held hearings on whether a federal data breach notification statute is necessary. Subcommittee Explores State of Data Breaches in United States
Earlier this month, the California Attorney General released her report on data breaches affecting California residents in 2012, when 2.5 million Californians had personal information put at risk through an electronic data breach, but more than half of those citizens’ would have been protected if the companies storing their personal data better encrypted the data.

Andrew Raff @andrewraff