Information Security and Data Breach Notification Laws

Example Breaches:

• “Target data breach spilled info on as many as 70 million customers.”

• “As many as 80 million customers of the nation’s second-largest health insurance company, Anthem Inc., have had their account information stolen.

The two parts

• Overview of the information security concepts and laws to which companies must adhere in order to protect this ever- expanding amount of data

• Data breach notification laws are triggered when this data is unlawfully accessed or stolen.

6.1 Information Security

1. Two part - Risk Assessments and Security Controls

2. Information security attributes:

   1. Confidentiality-access to data is limited to authorized parties.

   2. Integrity-assurance that the data is authentic and complete

   3. Availability-knowledge that the data is accessible, as needed, by those who are authorized to use it.

   4. Information security is achieved by implementing controls, which need to be monitored and reviewed, to ensure that organizational security objectives are me

3. Security Control Types

   1. Administrative controls—such as incident response procedures and training

   2. Physical controls—such as locks, security cameras, and fences

   3. Technical controls—such as firewalls, antivirus software, and access logs

4. Information security vs information privacy.

   1. Information security is the protection of personal or other types of information from unauthorized access, use and disclosure.

   2. Information privacy decides what sorts of use and disclosure of personal information should be authorized

6.2 Information Security Laws

1. Federal Laws

   1. Healthcare and financial sectors have federally imposed information security provisions preempt any state requirements.

   2. These Federal Laws have information security requirements:

      1. HIPAA

      2. GLBA

      3. FTC Section 5

   3. FTC Section 5 Enforcement

      1. The Federal trade Commission (FTC) uses its Section 5 power (under the FTC Act) to bring actions against companies misrepresenting their information security practices (as a deceptive trade practice)

2. State Laws on Information Security Measures

   1. In the absence of comprehensive federal requirements, some state legislatures have passed laws requiring companies to take information security measures to protect citizens’ sensitive information.

   2. CA AB 1950

      1. Personal Information -information is defined as an individual’s name in combination with any one or more of:

         1. (1 ) Social Security number,

         2. (2) driver’s license number or California identification card number,

         3. (3) Financial account number or credit or debit card number “in combination with any required security code, access code or password that would permit access to an individual’s nancial account,”

         4. (4)medical information

         5. (5) health insurance information

         6. (6) data collected from automated license plate recognition systems

   3. New York issued regulations in 2017 (applying to financial services companies) that may become the new standard for strictest state law

   4. Massachuse state security law has generally been considered the most prescriptive in the nation. law goes beyond breach noti cation by requiring businesses holding personal information (de ned as a Massachuse s resident’s name plus a sensitive data element, such as a Social Security number to:

      1. Designate an individual who is responsible for information security

      2. Anticipate risks to personal information and take appropriate steps to mitigate such risk

      3. Develop security program rules

      4. Impose penalties for violations of the program rules

      5. Prevent access to personal information by former employees

      6. Contractually obligate third-party service providers to maintain similar procedures

      7. Restrict physical access to records containing personal information

      8. Monitor the effectiveness of the security program

   5. Washington State security law, HB 1149, also took effect in 2010.27

   6. Along with states including Minnesota and Nevada, Washington is part of a growing trend to incorporate the Payment Card Industry Data Security Standard (PCI DSS) into statute to ensure the security of credit card transactions and related personal information

3. Laws Limiting Use of Social Security Numbers

   1. State.

      1. Majority of states have laws limiting businesses’ right to use Social Security numbers

   2. Federal

      1. Federal government has a variety of limits on disclosure of Social Security numbers

6.3 Types of Data Breach Incidents

1. Privacy Rights Clearinghouse lists eight types of incidents

   1. Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail

   2. Hacking or malware—electronic entry by an outside party, malware and spyware

   3. Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of- service terminals

   4. Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information

   5. Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;

   6. Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape

   7. Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility

   8. Unknown or other

2. Most common incident

   1. Theft Resource Center, nearly 40 percent of the data breaches in 2015 were hacking incidents.

6.4 Fundamentals of Incident Management for Data Breaches

1. Actions

   1. The first step in incident management is determining whether a breach has actually occurred.

   2. If a breach is discovered, the second step is containment and analysis of the incident.

   3. The third step in incident management is to notify affected parties.

   4. Final Step.

      1. For organizational learning and prevention, organizations should implement effective follow-up methods.

      2. Examples: additional training, internal self- assessments and third-party audits

   5. OMB Security Breach Plan - detailed, public guidance can be a useful template for organizations that are looking for best practices in the development of a security breach plan:

      1. Designate the members who will make up a breach response team

      2. Identify applicable privacy compliance documentation

      3. Share information concerning the breach to understand the extent of the breach

      4. Determine what reporting is required

      5. Assess the risk of harm for individuals potentially affected by the breach

      6. Mitigate the risk of harm for individuals potentially affected by the breach

      7. Notify the individuals potentially affected by the breach

6.5 Lack of Federal Data Breach Law

1. As of the writing of this book, no federal legislation has been enacted.

6.6 State Breach Notification Laws

1. As of 2017, 48 of the 50 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands have enacted state breach notification laws.

2. Definition of Personal Information

   1. An example of the typical definition of “personal information” is Connecticut’s, which defines it as “an individual’s first name or first initial and last name in combination with any one, or more, of the following data:

      1. (1) Social Security number

      2. (2) driver’s license number or state identification card number or

      3. (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account

   2. Exclusions:

      1. Almost all states exclude publicly available information, defined often to include information “lawfully made available to the general public from federal, state or local government records or widely distributed media.

3. Definition of Covered Entities

   1. CT: Covered entities subject to its notification law:

      1. “any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information”.

4. Harm and Definition of Security Breach

   1. Connecticut defines a “breach” of security as

   2. Access to unencrypted Information and/or Destruction of Information

   3. “unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable”

5. Whom to Notify

   1. The primary recipients of a breach notification are state residents who are at risk because their personal information has potentially been exposed based on the level of unauthorized access or harm.

6. When to Notify

   1. All states with data breach notification laws use similar language to describe the required timing of notifications.

   2. The most common phrase used in conjunction with timing is the most expeditious time possible and without unreasonable delay.

   3. When a data breach is suspected to be the result of criminal activity, most states also allow delays “for a reasonable period of time if a law enforcement agency determines the notification will impede a criminal investigation.

7. What to Include

   1. Most states do not specify the contents of the notification.

   2. North Carolina’s requirements, for example, are among the most extensive, including:

      1. A description of the incident in general terms

      2. A description of the type of personal information that was subject to the unauthorized access and acquisition

      3. A description of the general acts of the business to protect the personal information from further unauthorized access

      4. A telephone number for the business that the person may call for further information and assistance, if one exists

      5. Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports

      6. The toll-free numbers and addresses for the major consumer reporting agencies

      7. The toll-free numbers, addresses and website addresses for the FTC Commission and the North Carolina attorney general’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft

8. How to Notify

   1. States generally provide notification options, but a written notice to the data subject is always required first.

   2. Telephonic and electronic messages are typical alternatives, but usually only if the data subject has previously explicitly chosen one of those as the preferred communication method.

9. Exceptions to Notification

   1. There are three basic exceptions for providing data breach notification.

      1. The first and most common exception allowed by states is for entities subject to other, more stringent data breach notification laws.

      2. Second, most states allow exceptions for entities that already follow breach notification procedures as part of their own information security policies as long as these are compatible with the requirements of the state law

      3. Third, in most states, a safe harbor exists for data that was encrypted, redacted, unreadable or unusable.

      4. if the data is effectively encrypted, the breach did not “compromise the confidentiality, security and integrity” of the information— therefore it is not a breach under the laws with that compromise standard

10. Penalties and Right of Action

    1. The Connecticut law reserves enforcement, as many states do, to the state attorney general

    2. Some states specify penalties.

6.7 State Data Destruction Laws

1. As of 2017, at least 32 states have data destruction laws.

2. North Carolina provides a three-fold description of required reasonable measures:

   1. Paper.

      1. Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed.

   2. Electronic media.

      1. Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practically be read or reconstructed.

   3. Personal Record Policy Requirements

      1. Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.

6.8 Conclusion