States start to set their own bar for data-breach notification

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Rodi­ka Tollef­son, ThirdCertainty

As prospects of pass­ing con­sumer-pri­va­cy leg­is­la­tion in Con­gress remain bleak, state law­mak­ers are pick­ing up the ball and run­ning with it.

At least 32 states have data-breach noti­fi­ca­tion laws on the dock­et this leg­isla­tive ses­sion, accord­ing to the Nation­al Con­fer­ence of State Leg­is­la­tures. Most of those bills are tight­en­ing and expand­ing exist­ing laws.

As we’ve seen now how breach­es work, a lot of the states are real­iz­ing it’s time to update what for some of them are decade-old statutes,” says Eduard Good­man, chief pri­va­cy offi­cer at IDT911 (which spon­sors Third Certainty.)

Info­graph­ic: State laws step into the breach on data protection

The Con­necti­cut Gen­er­al Assem­bly is one of the lat­est exam­ples. Ear­li­er this month, it changed its breach-noti­fi­ca­tion laws to require busi­ness­es to noti­fy vic­tims with­in 90 days and to pro­vide them with at least a year of iden­ti­ty-theft protection.

Tom Patterson, Unisys vice president of global security solutions
Tom Pat­ter­son, Unisys vice pres­i­dent of glob­al secu­ri­ty solutions

Every­one would be hap­py if there was a fed­er­al law because it would be so much sim­pler,” says Tom Pat­ter­son, a secu­ri­ty and pri­va­cy expert and vice pres­i­dent of glob­al secu­ri­ty solu­tions at Unisys, a glob­al infor­ma­tion-tech­nol­o­gy com­pa­ny. “But in the absence of that, states are tak­ing mat­ters into their own hands and try­ing to do things to bet­ter pro­tect their citizens.”

Since Cal­i­for­nia enact­ed the first breach-noti­fi­ca­tion law in the coun­try in 2002, all but three states — Alaba­ma, New Mex­i­co and South Dako­ta —even­tu­al­ly fol­lowed suit. (Alaba­ma and New Mex­i­co have unsuc­cess­ful­ly tried to pass relat­ed leg­is­la­tion sev­er­al times in the past few years.)

Law­mak­ers have a nose for news

The media is one of the dri­vers behind the momen­tum. As breach­es dom­i­nate the news, state law­mak­ers are tak­ing notice—especially if the news hits close to home.

In Wash­ing­ton state, for exam­ple, breach­es in recent years have includ­ed the Catholic Arch­dio­cese of Seat­tle and the state’s own Pub­lic Dis­clo­sure Commission.

Leg­is­la­tors often react to what’s in the news, and we try to solve that prob­lem,” says Rep. Zach Hud­gins, who spon­sored a recent­ly passed bill in the Wash­ing­ton Leg­is­la­ture that expands the state’s breach-noti­fi­ca­tion laws, includ­ing to paper records.

There’s momen­tum because leg­is­la­tors are get­ting bet­ter edu­cat­ed on the issues, and some of the issues are very com­plex,” says Hud­gins, who has worked at Ama­zon and Microsoft, and is one of few tech indus­try pro­fes­sion­als in the Legislature.

Wider def­i­n­i­tion of PII

Many of the state bills dur­ing the cur­rent leg­isla­tive ses­sion are expand­ing the def­i­n­i­tion of per­son­al infor­ma­tion to include things such as bio­met­ric and health data. Many states also are requir­ing noti­fi­ca­tion of the state attor­ney gen­er­al, and sev­er­al are delv­ing into K-12 stu­dent data protection.

These are reac­tive laws, they’re good in terms of noti­fi­ca­tion, but we also want to see the states set­ting base­line secu­ri­ty stan­dards that com­pa­nies have to fol­low,” says Caitri­ona Fitzger­ald, chief tech­nol­o­gy offi­cer and state pol­i­cy coor­di­na­tor for the Elec­tron­ic Pri­va­cy Infor­ma­tion Cen­ter (EPIC).

Only a minor­i­ty of states is includ­ing proac­tive require­ments in their bills. While in some cas­es that includes a pro­vi­sion for basic encryp­tion, it also could entail some­thing as sim­ple as hav­ing a response plan and prac­tic­ing it sev­er­al times a year.

One of the chal­lenges is the com­plex­i­ty of the tech­nol­o­gy, which leads to dis­agree­ments over seem­ing­ly benign aspects like the def­i­n­i­tion of cybersecurity.

It’s a tech­ni­cal issue and leg­is­la­tors strug­gle to under­stand it,” Fitzger­ald says.

Anoth­er challenge—and the rea­son oth­er pri­va­cy and secu­ri­ty bills are a much tougher sell than breach notifications—is the idea of the gov­ern­ment telling com­pa­nies how to run them­selves. Espe­cial­ly when it involves ever-chang­ing tech­nol­o­gy and lack of standards.

To get into pre­scrib­ing secu­ri­ty, you have to have some bench­marks, and every­thing changes so quick­ly. It’s a slip­pery slope and a dif­fi­cult thing to peg down,” Good­man says.

One size doesn’t fit all

Although many state law­mak­ers are mod­el­ing their bills after oth­er states, the laws still vary wide­ly around the coun­try. As one exam­ple, Flori­da is the only one requir­ing noti­fi­ca­tion to con­sumers with­in 30 days of breach dis­cov­ery, while oth­er states have much longer dead­lines or no dead­lines at all.

But Pat­ter­son says it’s not a real loss of pro­tec­tion, based on what state you live in, but more of a perception.

The real­i­ty is that most com­pa­nies, if they have to do some­thing for one state, it’s eas­i­er to do it for all 50 states than fol­low indi­vid­ual rules,” he says.

And some of the changes may not be for the best. Good­man says he’s see­ing the response by com­pa­nies become dri­ven by com­pli­ance rather than a desire to do some­thing mean­ing­ful for consumers.

Peo­ple are get­ting over­noti­fied to a point where they don’t give it a sec­ond thought,” he says. “They’re get­ting desen­si­tized. It’s a dou­ble-edge sword.”

Capi­tol Hill not on bandwagon

The momen­tum in the state Leg­is­la­tures to tack­le data-relat­ed bills is not like­ly to spill over to the fed­er­al gov­ern­ment, however.

Con­gress is much more behold­en to spe­cial inter­ests and influ­ence,” Good­man says.

And the top­ic of pri­va­cy, in gen­er­al, is much more sen­si­tive than breach noti­fi­ca­tion. Pat­ter­son notes that there’s big busi­ness built around per­son­al data because con­sumers are will­ing to trade their infor­ma­tion for free things like mobile apps, search engines and social networks.

You’re pay­ing for it by giv­ing up some of your pri­va­cy,” he says. “There’s a lot of big mon­ey lob­by­ing against privacy.”

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Even at the state lev­el, many pri­va­cy-relat­ed bills die with­out mak­ing it out of committee—as was the case this ses­sion in Wash­ing­ton state. Hud­gins says if sim­ple bills die in the state Sen­ate, it’s easy to see how Con­gress would stall.

Anoth­er chal­lenge is that fed­er­al leg­is­la­tion often pre­empts state laws—with the cur­rent White House pri­va­cy bill as a prime example.

The pres­sure the feds get is to water down the increas­ing­ly robust laws by pass­ing some­thing fed­er­al­ly that’s more pre­dictable and eas­i­er to com­ply with,” Good­man says. “For the most part, that weak­ens the con­sumer pro­tec­tion pret­ty substantially.”

Fitzger­ald notes that 432 mil­lion online accounts were hacked last year and says the prob­lem should be addressed at both state and fed­er­al levels.

As a base­line, the fed­er­al gov­ern­ment should pass some­thing,” she says. “But any­thing that the fed­er­al gov­ern­ment pass­es should not pre­empt state laws.”

More on emerg­ing pri­va­cy concerns
A call for a data breach warn­ing label
For­mer FTC con­sumer chief: pri­va­cy regs needed
Use of Ver­i­zon ‘zom­bie cook­ies’ halted


Posted in Data Breach, News & Analysis