Discussion
State Laws Protecting Citizen Information and Breach Notification Laws
ISOL633 - Legal Regulations, Compliance, and Investigation
Learning Objective
Describe state legal compliance laws addressing public and private institutions.
Key Concepts
State regulation of privacy and information security
State data breach notification
State encryption regulations
State data disposal regulations
History of state privacy protection laws
DISCOVER: CONCEPTS
California Notification Law
California Database Security Breach Notification Act
First breach notification law
Enacted on July 1, 2003
Purpose to give California residents timely information to protect themselves
Serves as model for other states
California Notification Law
Anyone who owns or uses computerized data containing unencrypted personal information Anyone who owns or uses computerized data containing unencrypted personal information
7/1/2018
6
Who Must Comply?
State agencies
Private organiza-tions
Business
Any entity storing info on California residents
Nonprofit organiza-tions
Data Breach Notification Laws
Requirements to inform customers of a data breach
Civil and/or criminal penalties for failure to disclose
Private right of action
Exemptions from reporting
DISCOVER: PROCESS
Personal Information - Defined
The general definition of “personal Information” is:
Both the Individual’s first name/initial and last name
And one or more of
Social Security Number
Driver’s License / State ID Number
Financial Account/Credit/Debit number AND the PIN/code/password to access it
Does not include publicly available information legally obtainable by general public from governmental records.
Check out this PDF from Baker & Hostetler, LLP for a nice chart documenting where personal information is wider than the general definition.
Breach Notification Decision Making
If breach occurred or may have occurred and
Computer system contains personal information
Personal information was encrypted
No notification required
Breach Notification Decision Making
If breach occurred or may have occurred and
Computer system contains personal information
Personal information was not encrypted
Individuals must receive notice of security breach
DISCOVER: ROLES
Roles
Chief Information Security Officer
Manages investigations of possible breaches
Legal Counsel
Handles all legal issues associated compromise of protected data
Office of Public Affairs
Directs all internal and external communication
Manages media relations
Maintains contact with law enforcement.
Human Resources
Advises on personnel issues and communications
States vary on what is covered
Encryption Regulations
Massachusetts
“Standards for the Protection of Personal Information of Residents of the Commonwealth”
Nevada
Data collectors must use encryption when transmitting personal information outside of their business network
Encryption as a Safe Harbor
Tennessee
In 2016, the language providing encryption as a safe harbor was removed.
In 2017, the encryption as a safe harbor was reinstated so long as the information’s encryption key isn’t acquired by an unauthorized person
Data-Specific Security and Privacy Regulations
Minnesota and Nevada
Require businesses to comply with Payment Card Industry standards
Indiana
Limits SSN use and disclosure
Data Disposal Regulations
Washington
Health and financial data must be destroyed when no longer needed
Law applies to any person or entity in the state
New York
No person or business may dispose of a record containing “personal identifying information” without shredding, destroying, or modifying it
Examples of Breaches
ChoicePoint Data Breach
ChoicePoint was a data broker
Databases contained public information and names, addresses, Social Security numbers, credit history, DNA information
Breach in late 2004; disclosed in February 2005, notified California residents
ChoicePoint data breach spurred creation of data breach notification laws in many states
Equifax Data Breach
Equifax is a consumer credit reporting agency
Databases contained public information and names, addresses, Social Security numbers, credit card numbers, driver’s license numbers, credit dispute information, etc.
Breach in early 2017; discovered in late July, disclosed on
September 7, 2017 – 143M US/0.4 -44M British/8K Canadian consumers
October 2, 2017 – Added 2.5M more US consumers
October 10, 2017 – 15.2M UK consumers PII, 11M US drivers licenses
Feb 11, 2018 – US consumer included DoB, Card expiration dates, and email addresses
Summary
State regulation of privacy and information security
Data breach notification
Correction:
All states now have data breach notification laws.
States are now starting to pass laws governing data brokers like Equifax
Some states are even starting to pass laws that mirror portions of the GDPR. (California pass a law in June that gives consumers the right to:
Request all the data that a company has on them
Request data on them be erased (the right to be forgotten)