State Data Breach Laws

Over 31 states have enacted a data breach law that obligates businesses to report theft of Personal Private Information (PPI). These laws generally define how a business is to legally notify the public when incidents involving the accidental disclosure, theft, or destruction of PPI occur. A complete listing of such states is maintained by the Consumer’s Union and can be accessed online

State laws and regulations exist because of the lack of Federal response to the problem of securing sensitive consumer data. As my practice encompasses both Oregon and Washington, it may interest my own client’s to know that Oregon has yet to pass a data breach law but Washington’s went into effect July 2005.

Generally speaking, the Washington law requires any business or person that owns or licenses PPI in the form of electronic data to disclose a breach of the system to all Washington residents. Sounds straight forward but it gets a little more nuanced. Washington’s law applies only when the PPI was unencrypted, when the loss was due to a “technical” problem, or when it is reasonably believed that the data was seized by an unauthorized party. The idea being that loss of encrypted data is acceptable, technical faux-pas conducted by a stupid administrator mistake can be ignored, and if there’s no risk of unauthorized access, who gives a rip? Bottom line: if there’s no suspicion of direct unencrypted exposure or criminal activity – it was just a technical error – then reporting is not required. Notification is in the context of a press release published to the media or posted on their website.

So you might be thinking: “Wait a minute – there’s no obligation to do _anything_ in 19 states to protect PPI?” Not so. Even without a specific data breach law, tackling the confidentiality, integrity, and availability of PPI is a “Due Care” obligation under the eyes of the law which evaluates the proactive steps by a company to secure PPI in the context of “reasonable” behavior.

Example: say there’s a data breach at your company resulting in the exposure of some 50,000 customer records. Crappy day, nobody wants this memo. So, in discovery, it was determined this breach happened because a virus exposed the data. It was further determined that your company ran no anti-virus software nor did you have a policy or an official stance on anti-virus defense. It could be argued in a tort proceeding against you that damages occurred are the result of your negligence – management did not take “Due Care” in installing an anti-virus package, therefore, you are libel for the PPI exposure. The judge would get to hear hours of expert testimony to decide whether or not negligence was a compelling factor in the case. Ho-hum, they’ll end up settling anyway.

However, demonstrating “due care” violation and negligence is a case-by-case distinction. Here, failure to report is breaking a state statute which has broader compliance ramifications. More complex still are the federal regulatory laws that try to identify categorical PPI (HIPAA, FERPA, GLB, COPPA, etc.) that would also be subject in a compliance review.

Due to the extensive liability and potential havok on one’s brand, today, more than ever, businesses should do a couple of things to contain liability in this area and review their “Due Care” practices.

1. Review and document their practices for data collection, storage, retrieval, and destruction. These procedures should be reviewed by the organization’s board of directors, recorded in meeting minutes, and executed by a responsible officer of the company.

2. Businesses should completely understand the federal and state data breach notification procedures for which they’re subject to; timing of the notification is often critical.

3. Businesses should understand when to contact law enforcement and have a procedure for involving local cybercrime units and/or the FBI. This kind of document is referred to Cyber Incident Response Plan (CIRP) within the NIST Business Continuity protocol (SP800-34).

4. Review the existing privacy policy and privacy statements for state and federal compliance. Update such policies as necessary.

The US Congress has yet to pass a federal data breach act but federal legislation is expected before 2010. Really there’s a bigger issue here than just legislation and liability that should motivate us and that is simply doing the right thing: accepting the risks posed by handling PPI and developing a framework of responsible management. Being aware of the legal expectation in your state may be a good place to begin.

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.

Name (required)

Mail (will not be published) (required)

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.