California enacts stricter data loss rules, will other states follow?

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Acohido

Cal­i­for­nia enact­ed the first data loss dis­clo­sure law in 2003, requir­ing com­pa­nies and orga­ni­za­tions that lose per­son­al infor­ma­tion to inform the indi­vid­u­als whose data has gone miss­ing. Since then 46 oth­er states have passed sim­i­lar laws. This week Cal­i­for­nia Gov. Jer­ry Brown signed into law an amend­ment that tough­ens The Gold­en State’s pio­neer­ing leg­is­la­tion in three ways.

In the wake of mas­sive data breach­es at Tar­get, Neiman Mar­cus, Michaels, PF Chang’s and Home Depot, Cal­i­for­nia now appears to require orga­ni­za­tions who lose cer­tain types of data to sup­ply “appro­pri­ate iden­ti­ty theft pre­ven­tion and mit­i­ga­tion ser­vices” to each vic­tim at no cost for 12 months. At least that’s how this amend­ment was wide­ly viewed. How­ev­er, legal experts say two lit­tle words insert­ed into the ver­sion signed by Brown mud­dle the manda­to­ry nature of this new rule.

California’s law now also extends to com­pa­nies that “main­tain” per­son­al data, not just own or license per­son­al data. And in Cal­i­for­nia it is now ille­gal to “sell, adver­tise for sale, or offer to sell” someone’s Social Secu­ri­ty Number.

Third­Cer­tain­ty asked Eduard Good­man, IDT911’s Chief Pri­va­cy Offi­cer, about the wider sig­nif­i­cance of California’s move. Full dis­clo­sure, IDT911 is the cor­po­rate spon­sor of ThirdCertainty.

3C: Can you unmud­dle this? What exact­ly is now being required?

Good­man: The orig­i­nal ver­sion of this bill read almost iden­ti­cal­ly to how it was passed. How­ev­er, the ver­sion signed into law adds the words “if any” to refer to the offer of “appro­pri­ate iden­ti­ty theft pre­ven­tion and mit­i­ga­tion ser­vices.”  The inclu­sion of this lan­guage now mud­dies the statute. It would appear that the leg­isla­tive intent to man­date that mon­i­tor­ing, pre­ven­tion and mit­i­ga­tion ser­vices be offered in cer­tain sit­u­a­tions has been gutted.

Instead, the law now sim­ply pro­vides that IF any ser­vices are sup­plied to sup­port the vic­tims of the breach, the insti­tu­tion offer­ing it must indi­cate that the ser­vice offered is pro­vid­ed at no cost to the affect­ed per­son; pro­vide the ser­vice for not less than 12 months; and pro­vide all of the infor­ma­tion nec­es­sary to take advan­tage of the offer to any per­son. The lan­guage is a bit con­fus­ing and I have a strong feel­ing the actu­al mean­ing will even­tu­al­ly be test­ed and inter­pret­ed by the courts in the com­ing year or two.


3C: Don’t com­pa­nies who admit big breach­es already do this on their own accord?

Good­man: Larg­er com­pa­nies do tend to offer free ser­vices in the wake of a breach. This usu­al­ly comes in the form of cred­it mon­i­tor­ing ser­vices. Small­er com­pa­nies may not have prop­er insur­ance or enough mon­ey in reserves to cov­er breach­es. Many small­er com­pa­nies do not opt to offer any form of assis­tance and will often, based on cost con­straints, sim­ply pro­vide the required noti­fi­ca­tion of the event.

3C: The dev­il is always in the details. How do you expect this to actu­al­ly play out over time, in terms of result­ing in a mate­r­i­al ben­e­fit to victims?

Good­man: I hope it results in com­pa­nies giv­ing cred­it mon­i­tor­ing ser­vices in cas­es where it is use­ful, such as breach­es that involve stolen SSN’s, rather than in cas­es where it is a dis­trac­tion, as with pay­ment card breach­es.  There are gen­er­al­ly accept­ed best prac­tices in respond­ing to breach­es. Pro­vid­ing more robust sup­port ser­vices is called for in high­er risk sit­u­a­tions, such as when there is a tar­get­ed theft of per­son­al infor­ma­tion. And low­er lev­el cour­tesy ser­vices are ade­quate for low­er threat sce­nar­ios, in cas­es when infor­ma­tion is lost or mis­placed. Unfor­tu­nate­ly the statute pro­vides no real guid­ance as to what “appro­pri­ate ser­vices” are.

3C: What’s sig­nif­i­cant about extend­ing data secu­ri­ty respon­si­bil­i­ties to orga­ni­za­tions that main­tain data?

Good­man: Pre­vi­ous­ly the require­ment to imple­ment and main­tain rea­son­able secu­ri­ty mea­sures was only incum­bent upon those who ‘owned or licensed’ per­son­al infor­ma­tion. How­ev­er, the exten­sion now applies to any­one that also main­tains per­son­al data. The def­i­n­i­tion of “main­tains” is vague at best. Essen­tial­ly the require­ment means that if you HAVE per­son­al infor­ma­tion in your company’s pos­ses­sion, whether you own or license it or just hold it for anoth­er, you now need to pro­vide for its secu­ri­ty as well. Seems com­mon sense, but the statute fell short on that require­ment in the past.

3C: What’s the think­ing behind ban­ning the sale of SSNs? That seems like an obscure scenario.

Good­man: The prac­tice is not as obscure as you may think. This hap­pens in all dif­fer­ent types of sit­u­a­tions. Whether it be des­per­ate par­ents who sell their children’s SSNs to help make ends meet or buy­ing and sell­ing the SSNs of the deceased by get­ting access to the Death Mas­ter File. This just seems to be one more way to crack down on the illic­it trade in iden­ti­ty infor­ma­tion in Cal­i­for­nia, one of the states with con­sis­tent­ly high rates of ID theft.

3C: What drove Cal­i­for­nia to make these changes?

Good­man: Cal­i­for­nia, unlike most states with data breach noti­fi­ca­tion require­ments, does NOT take a set it and for­get approach to their pri­va­cy leg­is­la­tion. The reg­u­la­tion has already been mod­i­fied pri­or to this, just last year. In addi­tion, Cal­i­for­nia is at the fore­front of these areas. Orig­i­nal­ly, the intent was to make offer­ing sup­port ser­vice to breach vic­tims a manda­to­ry require­ment, which, as already dis­cussed, was not the end result here. Keep in mind this is just one of many areas where Cal­i­for­nia has been try­ing to tight­en up pri­va­cy laws, with edu­ca­tion pri­va­cy being one of the next main areas that will be tackled.

3C: What’s going on in oth­er states? Are oth­ers mov­ing to expand data loss rules and responsibilities?

Good­man: One of the big trends we’ll start to see is the expan­sion of edu­ca­tion relat­ed pri­va­cy leg­is­la­tion pass­ing in mul­ti­ple states. These new laws focus on pri­va­cy of edu­ca­tion infor­ma­tion for chil­dren in grade school through col­lege and grad school. In addi­tion, oth­er states are expand­ing their laws to cov­er paper records, not just dig­i­tal data, and to start tight­en­ing the time frames for required noti­fi­ca­tions to be sent out.

3C: The dri­ve for a fed­er­al data loss dis­clo­sure law seems to have lost steam. Where does that stand?

Good­man: The prob­lem with fed­er­al attempts is that they all tend to weak­en the con­sumer pro­tec­tion already in place in the 47 dif­fer­ent states with breach noti­fi­ca­tion laws. In addi­tion, Con­gress seems to be more will­ing to weak­en these laws based on pres­sure from indus­try groups and spe­cial inter­ests where­as on the state lev­el these influ­ences seem more lim­it­ed. In the end I wouldn’t hold my breath for any more talk of a breach noti­fi­ca­tion bill until after the mid-terms. More real­is­ti­cal­ly we may not hear any­thing about it fed­er­al­ly until after the 2016 elec­tion cycle.


Posted in Cybersecurity, Data Security, Q&A