Chapter 6

Question 1

California’s first state breach notification law - definition of PI

Answer 1

PI is
(1) Social Security number,

(2) driver’s license number or California identification card number,
(3) financial account number or credit or debit card number “in combination with any required security code, access code or password that would permit access to an individual’s financial account,”
(4) medical information,
(5) health insurance information, and
(6) data collected from automated license plate recognition systems.

** Personal information that is publicly available or encrypted is excluded from the law.

Question 2

California AB 1950

Answer 2

• law requires a business “that owns or licenses personal information about a California resident” to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Furthermore, the bill requires businesses using unaffiliated third-party data processors to contractually mandate similar security procedures

• CA AG issued report that identified Center for Internet Security’s Critical Security Controls as minimum level required.

Question 3

Mass state security law, 201 CMR 17.00 = most prescriptive in nation

Answer 3

Goes beyond breach notification by requiring those holding PI (name plus sensitive element) to:

1. Designate an individual who is responsible for information security
2. Anticipate risks to personal information and take appropriate steps to mitigate such risks
3. Develop security program rules
4. Impose penalties for violations of the program rules
5. Prevent access to personal information by former employees
6. Contractually obligate third-party service providers to maintain similar procedures
7. Restrict physical access to records containing personal information
8. Monitor the effectiveness of the security program
9. Review the program at least once a year and whenever business changes could impact security
10. Document responses to incidents

From a technical perspective, 201 CMR 17.00 mandates user authentication, access controls, encryption, monitoring, firewall protection, updates and training. The law came into effect in 2010.

Question 4

Washington state security law

Answer 4

• Along with states including Minnesota and Nevada, Washington is part of a growing trend to incorporate the Payment Card Industry Data Security Standard (PCI DSS) into statute to ensure the security of credit card transactions and related personal information.
• Washington’s HB 1149 permits financial institutions to recover the costs associated with reissuance of credit and debit cards from large processors whose negligence in the handling of credit card data is the proximate cause of the breach.
• Processors are not liable if the data were encrypted at the time of the breach or had been certified as PCI-compliant within one year of the breach.

Question 5

Types of data breaches

Answer 5

1. Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
2. Hacking or malware—electronic entry by an outside party, malware and spyware
3. Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals
4. Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information
5. Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;
6. Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape
7. Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility
8. Unknown or other

Question 6

Data Breach Step 1

Answer 6

Determining whether breach occurred or not.

Multiple failed log ins, sudden use of long dormant account, off-hours use, unknown programs, files or devices or users;

can be difficult to detect

Question 7

Data breach - step 2

Answer 7

Containment and physical analysis of the incident.

Recover items, data.

Shut down infiltrated system, revoke access.

Forensic support may be needed.

Full audit and careful analysis, document.

Question 8

Data breach - step 3

Answer 8

Notify affected parties.

States often require certain content in notification.

Contractual obligations as well.

timing crucial -

Question 9

Data breach - step 4

Answer 9

Implement effective follow up methods.

Additional training, internal self-assessments, 3rd party audits, additional monitoring.

Identify deficiencies and correct.

Question 10

OMB requirements for federal agency data breach

Answer 10

can serve as guidance.

The OMB set forth the following framework for a security breach plan:
• Designate the members who will make up a breach response team
• Identify applicable privacy compliance documentation
• Share information concerning the breach to understand the extent of the breach
• Determine what reporting is required
• Assess the risk of harm for individuals potentially affected by the breach
• Mitigate the risk of harm for individuals potentially affected by the breach
• Notify the individuals potentially affected by the breach
OMB policies also focused on the issue of contracts with vendors. From a best-practices perspective, organizations should ensure that vendors are contractually required to do the following: provide training to their employees on identifying and reporting a breach, properly encrypt PII, report suspected or confirmed breaches; participate in the exchange of information in case of a breach, cooperate in the investigation of a breach, and make staff available to participate in the breach response team.

Question 11

Basic components of state data breach notification laws

Answer 11

• The definition of personal information, meaning the specific data elements that trigger reporting requirements
• The definition of what entities are covered
• The definition of a “security breach” or “breach of the security of a system”
• The level of harm requiring notification
• Whom to notify
• When to notify
• What to include in the notification letter
• How to notify
• Exceptions that may exist to the obligation to notify (or when notification may be delayed)
• Penalties and rights of action

Question 12

Definition of PI in state data breach notification laws

Answer 12

CT as example:

an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number, (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”

others include medical and healthcare info.

some add federal or state ID numbers

some add biometric

Almost all exclude publicly available info - from public records or widely distributed media.

Question 13

Definition of covered entities under state data breach notification laws

Answer 13

CT as example:

“any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.”

Question 14

Harm and Definition of Security Breach in state data breach notification laws

Answer 14

CT as example:

Connecticut defines a “breach” of security as “unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable”

Some states add materiality qualifier or likely to cause identity theft as standard.

Question 15

Whom to Notify under state data breach notification law

Answer 15

Primarily state residents who are at risk because of the breach.

More than half require AG notification and/or other state agencies, if certain thresholds crossed.

Timing of AG notification varies, from same time as affected individuals, to later.

At least 28 states require notice to nationwide CRAs, if certain thresholds are crossed (usually higher than number of affected to trigger AG notice).

All require notification of owner of data if its not the company.

Question 16

When to notify under state data breach notification laws

Answer 16

The most common phrase used in conjunction with timing is the most expeditious time possible and without unreasonable delay.

Legislators, however, recognize the need for the affected entity to conduct a “reasonable investigation in order to determine the scope of the breach and to restore the reasonable integrity of the data system.”

As of 2017, only Florida, New Mexico, Ohio, Rhode Island, Tennessee, Vermont, Washington and Wisconsin specify a limit to expeditious time—typically no later than 45 days after the discovery of the breach.

Delays allowed to notify law enforcement, if criminal activity is suspected, if law enforcement believes notice would hamper investigation.

Puerto Rico has 10 days.

Question 17

What to include in notice under state data breach notification laws

Answer 17

NC is among most extensive:

• A description of the incident in general terms
• A description of the type of personal information that was subject to the unauthorized access and acquisition
• A description of the general acts of the business to protect the personal information from further unauthorized access
• A telephone number for the business that the person may call for further information and assistance, if one exists
• Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
• The toll-free numbers and addresses for the major consumer reporting agencies
• The toll-free numbers, addresses and website addresses for the FTC Commission and the North Carolina attorney general’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft

Question 18

How to notify

Answer 18

Written notice required. email and telephone if opted in to that.

Most legislation recognizes need for alternatives if thousands/millions.

CT as example: email, conspicuous posting on website, or in media

Question 19

Exceptions to notification

Answer 19

3 basics:

1. For entities subject to more stringent notification laws. Eg HIPAA, GLBA.
2. Already following procedures as part of own infosec policies, as long as compatible.
3. Encrypted, redacted, unreadable, unusable.

Question 20

Penalties

Answer 20

State AG, with penalties for damages of various amounts (willful more).

PROA in handful - (VA, CA, TX MD, DC, others)

Question 21

State Data Destruction Laws

Answer 21

At least 32, by 2017

Describe whom applies to, required notice of destruction, exemptions (eg. subject to federal law requiring destruction).

Most laws like NC so use as example.

NC as example, applies to those conducting biz in NC or maintains/possesses PI of resident of NC.

NC requires entities to take reasonable measures to safeguard against unauthorized access in connection with or after disposal.

NC - required reasonable measures -

1. Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed
2. Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed
3. Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity

No PROA unless personal injury.