At RIMS 2016 in San Diego, Session CRM 001 addressed Data Security and Breach Notification. This session focused largely on the idea of a federal data breach law, one that would provide a uniform standard for data breach notifications in all states. But that may be wishful thinking. That’s because any federal statute would have to decide what state activities to preempt. This could turn out to be a very complex and labor intensive process. Lori S. Nugent, partner with Wilson, Elser, Moskowitz, Edelman & Dicker in Chicago said she did not think a federal data breach law was inevitable. “There has been variation in effectiveness of regulators addressing the issue on the federal and state levels, and I’m not sure when, or whether, the federal government will want to jump into this particular thicket.”
So where does that leave a business that regularly handles protected health information (PHI) or other sensitive data such as financial data? Attempting to comply with individual state data breach laws, and prepare a data breach plan of action, one should remember that California recently updated its data breach notification laws. California’s breach notification law is found in Civil Code, Section 1798.82. This update was by way of SB 570, AB 964, and SB 34. The new rules went into effect on January 1, 2016. For those looking establish a business plan for dealing with an unfortunate data breach, there are several key changes to keep in mind.
First, SB 570 changed Civil Code Section 1798.82 to require notice of a data breach to be in a specific format. The new notice requires a mandatory title and heading that says “Notice of Data Breach.” It also requires sub-headings including “What Happened,” “What Information Was Involved,” “What Are We Doing,” “What You Can Do” and “For More Information.” The title and headings must use no smaller than 10 point type. A tip for organizations having to craft such a letter: Keep in mind that if a data breach victim lives outside of California there might be additional complications. Some states have different data breach notification requirements that specifically forbid such information as “What Happened,” as seen above. So be sure to check with the Department of Justice or Attorney General’s office for a particular state.
Second, AB 964 provides a definition of encryption. The definition says data is encrypted if it is rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. Obviously, even with this definition, some ambiguity remains. And this ambiguity will likely be resolved via California case law in the next few years. But as of now, any of the standard methods of encryption, be it Microsoft Bit Locker, Apple’s FileVault system, Kaspersky’s Security 10, or any of the open source Linux based encryption platforms, would probably suffice. Remember why encryption is so important. The law says that if lost or stolen data was encrypted, no breach notice is required.
Third, the definition of personal information has been expanded via SB 34 to include data collected through automated license plate recognition systems. So law enforcement and private agencies now need to be very careful with license plate data they collect if the data is combined with a person’s first name and last initial, or last name. Also, SB 34 gives any individual who becomes a victim of a data breach the right to sue for actual damages suffered.
One other thing to consider is that if the breach affects more than 500 California residents notice of the breach must be given to the California Attorney General’s office. To do so, go to the State of California Department of Justice, Office of the Attorney General web page here. There, you can see the required form, which includes the dates the breach was discovered, the date notice was given to consumers, the type of personal information involved in the breach, a description of the breach, the approximate number of individuals affected by the breach, and several other questions. Any breach notification should include these parameters as required by the attorney general’s office.
California set the trend in 2002 when it was the first state to enact a security breach notification law via Civil Code Section 1798.82. Years later, every state but Alabama, Kentucky, New Mexico and South Dakota have enacted laws that require notice of a security breach. Additional stricter state standards will likely continue. For example, I would expect other states to define the term “encryption” in a similar manner to California. I would also expect to see other states grant their citizens the right to sue for damages actually suffered. As long as we continue to see massive data breach episodes in the retail, financial and health care sectors, states will continue to ratchet up their laws to protect consumers. All the while the federal government may remain silent and decide they “don’t want to jump into that thicket.”