Security Laboratory

Security Laboratory


Data Breach Disclosure Laws - a state by state perspective


Philip Alexander

Is your company cognizant of all the different data breach notification laws in the United States? Sure, there’s California Senate Bill 1386, but what about the other 34 states that have similar laws? Do you think you’re familiar with the subtle differences between the various states’ data breach notification laws? OK – let’s test your knowledge. A breach of data that includes a person’s first name, last name and their credit card account number without the PIN doesn’t require disclosure. If you think that’s always true, look up Kansas Senate Bill 196 and think again. Are you legally required to securely destroy sensitive data on paper? In some states you are. Check out Virginia House Bill 872 for example. Of course, the issue then becomes what to do if certain state laws require disclosure while other’s do not in the same data breach. Do you only disclose to those customers that you’re legally obligated to? That could be a public relations nightmare if the other customers found out. And, yes – they will find out. So, if your company has a multi-state brick and mortar footprint, or sells its products on the Internet, you need to be aware of the requirements of the various states’ data breach notification laws.

One constant I did see in the various laws is that companies that have their customers' data maintained for them by a third party are still liable if the data is breached. I call that out-sourcing the work while in-sourcing the liability. The responsibility for the data processor is to notify the company for whom they are storing the data if they’ve suffered, or believed to have suffered, a data breach. The data owner is still liable to disclosure the breach to its customers.

Amongst the various states, encryption of the data is generally seen as providing an exemption to the disclosure requirements. Security professionals and certainly computer engineers realize that encryption is not the end-all to protecting data. Encryption is designed to protect the confidentiality of data from unauthorized persons. So if the hacker can ‘fool’ a system into believing they are authorized, they will gain access to the data. Security of the encryption keys themselves is also very important; if they are stolen along with the data, then the hacker can gain access to the information. These issues were apparently being considered in Pennsylvania when they passed Senate Bill 712. Pennsylvania S.B. 712 states that, "An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key."1

Eighteen states, Arkansas, Colorado, and Delaware to name a few, have provisions exempting companies from disclosure if upon investigation it is believed that the stolen data will likely not be misused. I would caution companies from relying too heavily on such a provision. For one thing, there is a clear conflict of interest for a company to conduct their own investigation to determine if the data stolen from them as a result of a security breach is likely to be misused or not. In addition to the conflict of interest, how can anybody know the intent of the hacker who stole the data? The risk then is the perception by the public if it gets out that your company had their non-public information (NPI) stolen, and they decided that the data wasn’t likely to be misused.

Half of the states specifically mention redaction of the data as an exemption to their disclosure requirements, Arizona’s Senate Bill 1338 for example. To redact sensitive data would be to edit it in some manner. An example would be to edit (redact) a credit card account number so that it would no longer be a true account number. The lesson here is to only use NPI when it is business critical to do so. For example, many companies are using internally developed customer identification numbers rather than social security numbers to track their customers. This meets their business needs while, at the same time, reducing their data security risks.

As I stated in the beginning of this article, information breach notification laws are not just limited to electronic data. A handful of states, including California, New York, Utah, Vermont and Virginia, have laws specific to the secure disposal of NPI on paper. There are many companies nationwide that provide secure document disposal services.

All of the 35 states hold businesses liable for the NPI that they have, while 24 hold their own government agencies to the same requirements. Do the math; eleven states gave themselves a pass on their own information breach notification laws. It leads me to wonder about the robustness of the data privacy policies of those states, and their "do as I say, not as I do" approach. These states include Colorado, Georgia, Hawaii, Maine, Minnesota, Montana, North Carolina, North Dakota, Texas, Utah and Vermont.

A word of caution for the would-be hacker. Several states have made it a criminal offense, some even a felony, to steal somebody’s identity. For example, Arizona House Bill 2484 makes identity theft a felony crime.

It is important to know your customer base and in which states they reside. As I said earlier, if you sell on-line assume that you have customers in all 50 states. Know the subtle differences between the various data breach notification laws to better ensure compliance. Think carefully about not disclosing to some of your customers based solely on the lack of a legal requirement. The public relations fallout could cost your company more than the actual disclosure itself.

This article is a companion to a book entitled Data Breach Disclosure Laws – a State by State Perspective. The book provides an in depth review of all the 35 state data breach disclosure laws. It can be purchased at Aspatore Books http://www.aspatore.com/store/bookdetails.asp?id=498.

Philip Alexander, CISSP – ISSMP, is an Information Security Officer with Wells Fargo Bank, NA

1 http://www2.legis.state.pa.us/WU01/LI/BI/BT/2005/0/SB0712P1410.pdf