The State of Privacy by Joe Oleksak & Kurt Vanderwal
Pointing the Finger Identity theft is one of the fastest growing problems in the United States. Estimates suggest that between 300 and 400 data breaches were reported in 2007, resulting in the compromise of more than 79 million records. This means that roughly 1 in 4 Americans were affected by a data breach in 2007 alone (an increase of nearly four times over 2006 in which there were 20 million reported compromises). So who are the 1 in 4 Americans? Could be anyone, but depending on the state in which they live, they may never know!
To ensure the moral high road, many state laws were quickly introduced protecting the privacy of their citizens by requiring businesses to inform their customers/employees of a data breach. Therefore, regardless of where a company resides or where data is housed, the state laws of each customer govern the disclosure responsibility.
The first of such laws passed was in California (California Senate Bill 1386); 38 states and the District of Columbia have followed. However, each law is different in both definition of personal information and the responsibility of data owners. This disaggregated attempt to protect the customer has left companies (who do business in multiple states) in legal limbo, often not understanding their legal obligations to each customer/employee when a data breach occurs.
Enter the federal government! While no federal laws are currently in place regarding data breach disclosures, a bill was introduced in Congress in February that would set the minimum corporate requirements for data breach notifications. The passage of this bill may greatly affect the requirements of businesses in all states by providing a unified set of standards to follow regardless of the customer/employee location.
So what should companies do proactively to meet the many state data breach disclosure requirements if an event occurs? Companies should implement a security control model based on the following access control types:
- Preventative
- Detective
- Corrective
Prevent, Prevent, Prevent Most importantly, companies should proactively secure customer data. Prevent the breach to avoid the confusion. Develop a risk based security plan built on the following five key principles:
- Know the data — Inventory all customer data.
- Keep the minimum — Keep only the data needed for business.
- Encrypt — Protect personal information.
- Dispose — Properly dispose of what’s no longer needed.
- Plan for the worst — Have a plan to respond to security incidents.
Remember: it’s more cost-effective to secure customer information than to repair the damage and rebuild consumer confidence after a data breach.
Know When It Happens Unfortunately, companies may not always be able to prevent a data breach, but in order to comply with requirements set forth in each of the state privacy laws, they should be able to detect (in a timely manner) when such an event occurs.
Formal firewall monitoring and log reviews, implementation of an Intrusion Prevention System (IPS) or Intrusion Detection System (IDS), and risk-based network event and database logging are all examples of effective detective controls that should be carefully considered by all companies.
Correct the Problem Once the breach has been identified, state regulations require action. Be prepared to react by understanding applicable customer notification requirements. The first step is determining the state of residence for each customer or employee for whom personal information may have been obtained.
Nuances in each state law make understanding compliance requirements difficult when the breach affects citizens in multiple states. However, existing state laws are similar enough to provide general guidance, which may help with compliance until more unified guidance is available. Three common themes to each state law includes:
- What data was breached?
- Was it encrypted?
- Was the encryption key compromised?
Defining the Data Breach — Regardless of the state law, if the data breach meets the definition of “personal information,” customer notification is required unless protected properly. So what’s the definition of “personal information”?
The National Conference of State Legislatures (NCSL) provides research and assistance related to each of the state privacy laws. Companies should consult legal counsel and/or visit
http://www.ncsl.org/ to ensure the definition used is appropriate for their unique situation.
Was the data protected? — Ideally all companies have implemented encryption, but in reality many have not. If the data obtained was not encrypted, customer notification is a requirement.
Was the data protected properly? — If the data was encrypted and the encryption key was not compromised or disclosed, and the data is not in the possession of or known to the person who, without authorization, acquired or has access to the data, then customer notification may not be required.
Informing Customers If “personal information” was indeed breached, the next issue is to determine how and when to inform the customer. Most state laws require companies to inform customers without unreasonable delay. Acceptable delays may include taking time to determine the full extent of the breach.
Guidelines to acceptable methods of informing customers may include:
- Written notice to the customer’s postal address.
- Written notice sent electronically if the recipient has expressly consented to this form of communication.
- Notice by telephone by an individual representing your business if the message is not given as a recorded message and the recipient has agreed to this form of communication.
- A “Substitute Notice” to assist in large scale breaches. This includes posting relevant information on a website and notifying major statewide media of this event.
Third-Party Responsibility Many companies rely on third parties to provide technical resources to their business, including data storage. If a data breach occurs on the data stored at a third party, where does the responsibility lie? The answer is simple, with the data owner. Should the third party determine a data breach has occurred on the data stored at their location, their responsibility is to inform the data owner, not the customers. The responsibility of informing the customers is always in the hands of the business. Companies should require third parties who handle “personal information” to provide an SAS 70 report on the state of their internal controls. An SAS 70 is not the end-all, but it is a great place to start when attempting to gain comfort over the controls implemented by a third party to protect company data.
Conclusion No one expects to have a data breach, neither the business owner nor the consumer. However, chances are it will happen, and the publicity generated may not be positive. Having a properly implemented security control model (due diligence) can help companies manage the negative publicity and consumer fallout in the event of a breach. Remember: changes and updates to privacy and consumer notification laws occur frequently, so keeping up with the latest guidance from each state should be considered an important part of everyday business.
