California’s first state breach notification law - definition of PI
PI is
(1) Social Security number,
(2) driver’s license number or California identification card number,
(3) financial account number or credit or debit card number “in combination with any required security code, access code or password that would permit access to an individual’s financial account,”
(4) medical information,
(5) health insurance information, and
(6) data collected from automated license plate recognition systems.
** Personal information that is publicly available or encrypted is excluded from the law.
California AB 1950
- law requires a business “that owns or licenses personal information about a California resident” to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Furthermore, the bill requires businesses using unaffiliated third-party data processors to contractually mandate similar security procedures
- CA AG issued report that identified Center for Internet Security’s Critical Security Controls as minimum level required.
Mass state security law, 201 CMR 17.00 = most prescriptive in nation
Goes beyond breach notification by requiring those holding PI (name plus sensitive element) to:
- Designate an individual who is responsible for information security
- Anticipate risks to personal information and take appropriate steps to mitigate such risks
- Develop security program rules
- Impose penalties for violations of the program rules
- Prevent access to personal information by former employees
- Contractually obligate third-party service providers to maintain similar procedures
- Restrict physical access to records containing personal information
- Monitor the effectiveness of the security program
- Review the program at least once a year and whenever business changes could impact security
- Document responses to incidents
From a technical perspective, 201 CMR 17.00 mandates user authentication, access controls, encryption, monitoring, firewall protection, updates and training. The law came into effect in 2010.
Washington state security law
- Along with states including Minnesota and Nevada, Washington is part of a growing trend to incorporate the Payment Card Industry Data Security Standard (PCI DSS) into statute to ensure the security of credit card transactions and related personal information.
- Washington’s HB 1149 permits financial institutions to recover the costs associated with reissuance of credit and debit cards from large processors whose negligence in the handling of credit card data is the proximate cause of the breach.
- Processors are not liable if the data were encrypted at the time of the breach or had been certified as PCI-compliant within one year of the breach.
Types of data breaches
- Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
- Hacking or malware—electronic entry by an outside party, malware and spyware
- Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals
- Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information
- Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;
- Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape
- Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility
- Unknown or other
Data Breach Step 1
Determining whether breach occurred or not.
Multiple failed log ins, sudden use of long dormant account, off-hours use, unknown programs, files or devices or users;
can be difficult to detect
Data breach - step 2
Containment and physical analysis of the incident.
Recover items, data.
Shut down infiltrated system, revoke access.
Forensic support may be needed.
Full audit and careful analysis, document.
Data breach - step 3
Notify affected parties.
States often require certain content in notification.
Contractual obligations as well.
timing crucial -
Data breach - step 4
Implement effective follow up methods.
Additional training, internal self-assessments, 3rd party audits, additional monitoring.
Identify deficiencies and correct.
OMB requirements for federal agency data breach
can serve as guidance.
The OMB set forth the following framework for a security breach plan:
• Designate the members who will make up a breach response team
• Identify applicable privacy compliance documentation
• Share information concerning the breach to understand the extent of the breach
• Determine what reporting is required
• Assess the risk of harm for individuals potentially affected by the breach
• Mitigate the risk of harm for individuals potentially affected by the breach
• Notify the individuals potentially affected by the breach
OMB policies also focused on the issue of contracts with vendors. From a best-practices perspective, organizations should ensure that vendors are contractually required to do the following: provide training to their employees on identifying and reporting a breach, properly encrypt PII, report suspected or confirmed breaches; participate in the exchange of information in case of a breach, cooperate in the investigation of a breach, and make staff available to participate in the breach response team.
Basic components of state data breach notification laws
- The definition of personal information, meaning the specific data elements that trigger reporting requirements
- The definition of what entities are covered
- The definition of a “security breach” or “breach of the security of a system”
- The level of harm requiring notification
- Whom to notify
- When to notify
- What to include in the notification letter
- How to notify
- Exceptions that may exist to the obligation to notify (or when notification may be delayed)
- Penalties and rights of action
Definition of PI in state data breach notification laws
CT as example:
an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number, (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”
others include medical and healthcare info.
some add federal or state ID numbers
some add biometric
Almost all exclude publicly available info - from public records or widely distributed media.
Definition of covered entities under state data breach notification laws
CT as example:
“any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.”
Harm and Definition of Security Breach in state data breach notification laws
CT as example:
Connecticut defines a “breach” of security as “unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable”
Some states add materiality qualifier or likely to cause identity theft as standard.
Whom to Notify under state data breach notification law
Primarily state residents who are at risk because of the breach.
More than half require AG notification and/or other state agencies, if certain thresholds crossed.
Timing of AG notification varies, from same time as affected individuals, to later.
At least 28 states require notice to nationwide CRAs, if certain thresholds are crossed (usually higher than number of affected to trigger AG notice).
All require notification of owner of data if its not the company.
When to notify under state data breach notification laws
The most common phrase used in conjunction with timing is the most expeditious time possible and without unreasonable delay.
Legislators, however, recognize the need for the affected entity to conduct a “reasonable investigation in order to determine the scope of the breach and to restore the reasonable integrity of the data system.”
As of 2017, only Florida, New Mexico, Ohio, Rhode Island, Tennessee, Vermont, Washington and Wisconsin specify a limit to expeditious time—typically no later than 45 days after the discovery of the breach.
Delays allowed to notify law enforcement, if criminal activity is suspected, if law enforcement believes notice would hamper investigation.
Puerto Rico has 10 days.
What to include in notice under state data breach notification laws
NC is among most extensive:
- A description of the incident in general terms
- A description of the type of personal information that was subject to the unauthorized access and acquisition
- A description of the general acts of the business to protect the personal information from further unauthorized access
- A telephone number for the business that the person may call for further information and assistance, if one exists
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
- The toll-free numbers and addresses for the major consumer reporting agencies
- The toll-free numbers, addresses and website addresses for the FTC Commission and the North Carolina attorney general’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft
How to notify
Written notice required. email and telephone if opted in to that.
Most legislation recognizes need for alternatives if thousands/millions.
CT as example: email, conspicuous posting on website, or in media
Exceptions to notification
3 basics:
- For entities subject to more stringent notification laws. Eg HIPAA, GLBA.
- Already following procedures as part of own infosec policies, as long as compatible.
- Encrypted, redacted, unreadable, unusable.
Penalties
State AG, with penalties for damages of various amounts (willful more).
PROA in handful - (VA, CA, TX MD, DC, others)
State Data Destruction Laws
At least 32, by 2017
Describe whom applies to, required notice of destruction, exemptions (eg. subject to federal law requiring destruction).
Most laws like NC so use as example.
NC as example, applies to those conducting biz in NC or maintains/possesses PI of resident of NC.
NC requires entities to take reasonable measures to safeguard against unauthorized access in connection with or after disposal.
NC - required reasonable measures -
- Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed
- Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed
- Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity
No PROA unless personal injury.
