Security Laboratory
Data Breach Disclosure Laws - a state by state perspective
April 5th, 2007
By Philip Alexander
Is your company cognizant of all the different data breach
notification laws in the
One constant I did see in the various laws is that companies that have their customers' data maintained for them by a third party are still liable if the data is breached. I call that out-sourcing the work while in-sourcing the liability. The responsibility for the data processor is to notify the company for whom they are storing the data if they’ve suffered, or believed to have suffered, a data breach. The data owner is still liable to disclosure the breach to its customers.
Amongst the various states, encryption of the data is generally seen as
providing an exemption to the disclosure requirements. Security professionals
and certainly computer engineers realize that encryption is not the end-all to
protecting data. Encryption is designed to protect the confidentiality of data
from unauthorized persons. So if the hacker can ‘fool’ a system into believing
they are authorized, they will gain access to the data. Security of the
encryption keys themselves is also very important; if they are stolen along
with the data, then the hacker can gain access to the information. These issues
were apparently being considered in
Eighteen states, Arkansas, Colorado, and Delaware to name a few, have provisions exempting companies from disclosure if upon investigation it is believed that the stolen data will likely not be misused. I would caution companies from relying too heavily on such a provision. For one thing, there is a clear conflict of interest for a company to conduct their own investigation to determine if the data stolen from them as a result of a security breach is likely to be misused or not. In addition to the conflict of interest, how can anybody know the intent of the hacker who stole the data? The risk then is the perception by the public if it gets out that your company had their non-public information (NPI) stolen, and they decided that the data wasn’t likely to be misused.
Half of the states specifically mention redaction of the data as an
exemption to their disclosure requirements,
As I stated in the beginning of this article, information breach notification
laws are not just limited to electronic data. A handful of states, including
All of the 35 states hold businesses liable for the NPI that they have,
while 24 hold their own government agencies to the same requirements. Do the
math; eleven states gave themselves a pass on their own information breach
notification laws. It leads me to wonder about the robustness of
the data privacy policies of those states, and their "do as I say, not as I do"
approach. These states include
A word of caution for the would-be hacker. Several states have made it a criminal offense, some even a felony, to steal somebody’s identity. For example, Arizona House Bill 2484 makes identity theft a felony crime.
It is important to know your customer base and in which
states they reside. As I said earlier, if you sell on-line assume that you have
customers in all 50 states. Know the subtle differences between the various data
breach notification laws to better ensure compliance. Think carefully about
not disclosing to some of your customers based solely on the lack of a legal
requirement. The public relations fallout could cost your company more than
the actual disclosure itself.
This article is a companion to a book entitled Data Breach Disclosure Laws – a State by
State Perspective. The book provides an in depth review of all the 35 state
data breach disclosure laws. It can be purchased at Aspatore Books http://www.aspatore.com/store/bookdetails.asp?id=498.
Philip Alexander, CISSP – ISSMP, is an Information Security Officer with Wells Fargo Bank, NA
1 http://www2.legis.state.pa.us/WU01/LI/BI/BT/2005/0/SB0712P1410.pdf