by Rob Douglas

Every day, several times a day, I check out PogoWasRight.org.  The site, run by an individual who goes by the alias Dissent, does a tremendous job tracking threats to privacy from around the world.

Today, Dissent has published an original piece, When Breach Notifications Breach Privacy, questioning whether those who file mandatory breach notices with various state attorney generals around the United States may, at times, be including personal information that only furthers the exposure of the breached data.

Dissent, who examined this problem earlier this year, notes:

“Back in May, I reported a situation in which a breach notification letter to a state attorney general had revealed patient information, thereby creating yet another breach that was compounded by the publication of the notification letter on the Web. Because a similar web exposure problem recently occurred, I thought I would take a moment to point out what some CPOs, CSOs, and other reporting entities may not know or think about when they write their notification letters: if you file a mandated notification to states attorney general or another state agency or department under a state’s mandated notification laws, your notification letters generally become public records that are obtainable under public records or freedom of information laws.”

After reviewing which states have central registries where breach notices are available via one method or another, Dissent conclodes this way:

“Having to disclose a breach can be embarrassing enough. Revealing someone’s personal information in your disclosure is even more embarrassing. When you include copies of your notification letters to affected individuals or other documentation concerning the breach, check to ensure that you have not included any actual individual’s information in the letter. You’ll thank me later.”

Personally, I think we all owe Dissent our gratitude now for all the great work being done over at PogoWasRight.org.