Data breach Sharing Framework

verizon business logo

With the Massachusetts Data Privacy Law now in place (and presumably you are in compliance with it), you need to think about what to do if you have an incident.

Verizon has published the Verizon Incident Sharing Framework to help.

Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.

The framework is set up to help classify incidents, their discovery, mitigation and impact.

Sources:

National Data Privacy Laws Move Forward

I'm just a bill from Schoolhouse Rock

With last week’s further revisions to the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)], people are wondering if the federal government is going to step into the space and create a national standard. Most states have enacted some form of data breach or data privacy law, crating patchwork of laws across the country.

I found three separate bills moving through the legislative process: Data Accountability and Trust Act (H.R. 2221), Personal Data Privacy and Security Act of 2009 (S.1490), and The Data Breach Notification Act (S. 139)

Data Accountability and Trust Act (H.R. 2221)

This bill was in the House Committee on Energy and Commerce and referred to the Subcommittee on Commerce, Trade and Consumer Protection. They recommended it be considered by the House as a whole on September 30.

This act would requires the Federal Trade Commission to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.

Personal Data Privacy and Security Act of 2009 (S.1490)

Last week, the Senate Judiciary Committee approved the Personal Data Privacy and Security Act of 2009 by a vote of 14-5, sending the bill to the full Senate for consideration.

This act would amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of sensitive personally identifiable information (in electronic or digital form) a predicate for racketeering charges; and (2) prohibit concealment of security breaches involving such information.

This law would preempt state regulation in this area.

The Data Breach Notification Act (S. 139)

Last week, the Senate Judiciary Committee approved the Data Breach Notification Act by a vote of 14-2, sending the bill to the full Senate for consideration.

This act would requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired; and (2) the owner or licensee of any such information that the agency or business does not own or license.  The notice must be given “without unreasonable delay” following discovery of the breach.

It also authorizes civil actions by state attorneys general to enforce the act. This act would supersede any other provision of federal law or any provision of law of any state law relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.

These are just bills, so it’s hard to tell what may happen to them. The clock is ticking. The Massachusetts data security law goes into effect on March 1, 2010.

National Data Privacy Law Proposed

Image by Johnny Grim (CC BY-NC-ND 2.0)

With a multitude of states trying to protect their citizens when it comes to breaches of personal data security, it is becoming increasingly difficult to manage compliance with this patchwork of laws.  The Data Accountability and Trust Act (H.R. 2221) proposed in Congress proposed to preempt state laws and make regulation of data security a matter of federal regulation.

If passed in its current form, the procedure and time frame for notifications in the event of data breach would be standardized instead of the differing requirements from state to state. It would also required the Federal Trade Commission to regulate the security practices around personal data.

The most controversial part seems to be the provisions around information brokers (companies that gather personal information about people that are not their customers to sell to third parties.)  It would require these brokers to establish reasonable procedures to verify the accuracy of the personal information it collects. They would also have to provide consumers with access to that information.

Although it is still working its way through the system, it has already been forwarded by the subcommittee to the full House Energy and Commerce Committee.

References:

The HITECH Act

Pillsbury Winthrop Shaw Pittman LLP

I sat in a webinar on CyberSecurity Law: The Best Offense is a Good Defense sponsored by Pillsbury Winthrop Shaw Pittman LLP.  One aspect of the presentation was the Health Information Technology for Economic and Clinical Health Act.

This created the first federal data breach notification law.  It also substantially revised HIPAA regulations regarding privacy and security.

A “Breach” means:

  • Unauthorized access, use or disclosure of Public Health Information
  • That compromises the security, privacy or integrity of the Public Health Information
  • Does not include unintentional disclosures if made in good faith and within course and scope of employment or business associate relationship, provided that the Public Health Information is not further acquired, accessed used or disclosed

The difference between the HITECH Act and the state date breach notification laws deals with encryption, not security. It focuses on medical information, not just financial/identification information. Only California and Texas include medical information in data breach notification law.

The regulations from the FTC are very detailed. You must notify each US citizen and resident whose information was acquired by an unauthorized person and FTC. The Burden is on the company to demonstrate that all required notifications are made

Sending the breach notification:

  • By 1st class mail to last known address
  • By email “if specified as preference by the individual” (express affirmative consent required – pre-checked boxes and disclosures in TOS/Privacy Policy are NOT sufficient)
  • May provide notice via telephone or other means if Breach is deemed to require urgency (e.g.,due to possible imminent misuse of PHI)

Notification may be delayed for law enforcement purposes consistent with HIPAA Privacy Rule

If more than 10 individuals, Covered Entity must:

  • post notice on home page (and “landing pages” for existing account holders (FTC))
  • provide notice to major print/broadcast media in relevant geographic area, including tollfree phone number
  • must be prominent, clear and conspicuous, stated in plain language and run multiple times

Jurisdiction is split between the FTC and Health and Human Services. You are still subject to state enforcement of data breaches under state law.