There are currently more than 40 different state and territorial laws that require organizations entrusted with
personal identifying information to notify individuals when their information has been exposed to unauthorized parties. These laws range from those only requiring notification to those that mandate full security programs designed to prevent breaches in the first place. They define personal identifying information differently, require different notification processes, and force organizations to deal not only with the victims of the breach, but also the attorneys general of all the states where victims reside. The complexity and cost of notification, let alone the difficulty of ensuring compliance with security program requirements, are daunting.
Still, breaches that lead to identity theft happen regularly and people expect organizations to be held accountable for their personal information's security. Politicians have heard the public outcry and have recognized that there is a need for more uniform protection of personal data and more manageable and predictable notification processes. Consequently, every year there seem to be a handful of new proposed federal laws to address the growing problem of sloppy handling of personal information and breaches.
At the end of 2009, the U.S. House of Representatives passed the Data Accountability and Trust Act of 2009 (DATA). If passed by the Senate and signed into law, DATA would supersede existing state laws and thereby eliminate the complex array of notification procedures and the myriad protection mechanisms required by the states. The proposed law would also provide a universal definition of personal identifying information, appoint the Federal Trade Commission to specify regulations and enforce compliance, and require organizations to implement formal security programs to prevent unauthorized access to personal identifying information. Compared to other data protection legislative efforts, DATA's passage in the House makes it the only bill to gather the necessary support in either chamber. Its impact is potentially far reaching, and organizations should understand how it might affect them.
PERSONAL INFORMATION DEFINED
At the heart of DATA, or any data protection law, is the definition of personal identifying information. The definition is critical because it not only spells out what types of information need to be protected, but also helps organizations strip out elements of data sets to avoid having to protect them. This practice, known as scrubbing, is commonly used to protect credit card numbers and social security numbers by masking all but the last four digits.
DATA defines personal information as an individual's first name or initial and last name, or address, or phone number, in combination with any one or more of the following data elements for that person:
- Social Security number;
- Driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
- Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account.
This definition is similar to most state breach laws with some notable differences: It does not consider a financial account number alone (without a PIN or password) sensitive. In addition, unlike another proposed federal law -- S. 1490, the Personal Data Privacy and Security ActDATA makes no mention of mother's maiden name as sensitive (even though it is often used to authenticate an individual's identity).
The law would provide room for the FTC to modify the definition of personal information as necessary to accomplish the goals of the Act as long as these changes do not unreasonably impede interstate commerce.
APPLICATION AND ENFORCEMENT
As proposed, DATA will be regulated and enforced by the FTC. Consequently, the legislation applies only to those entities over which the FTC has jurisdiction. Even though DATA states that it applies to persons, partnerships, or corporations engaged in interstate commerce, it does not apply to all organizations. One of the most significant repercussions of the appointment of the FTC is the limit of the legislation's jurisdiction; the FTC does not regulate banks, savings and loans, or common carriers such as airlines and railroads.
However, the FTC is not the only enforcer of the law. DATA also carves out room for state attorneys general to take action against violators. They are empowered to enjoin further violation, compel compliance, or obtain civil penalties. In other words, state attorneys general have about the same power they have under the current state laws. The FTC or U.S. Attorney General, though, could intervene and limit state prosecution while federal actions are pending.
One of the ways DATA distinguishes itself from state laws that simply deal with breach notification is that it requires organizations to implement a security program designed to prevent compromise of the information. Organizations need to:
- Appoint a person as a point of contact who is responsible for overseeing the program;
- Document a security policy for the collection, use, sale, dissemination, and maintenance of personal information;
- Establish contracts with third parties with access to the information to establish controls meeting the requirements of the Act;
- Establish a process to identify risks and vulnerabilities and implement administrative and technical controls to mitigate the risk of compromise of the information;
- Define and implement a process for securely disposing of both digital and paper records including personal information.
The security controls required by DATA are similar to those required by state regulations like Massachusetts 201 CMR 17; they include a risk assessment, a vulnerability assessment, testing, remediation, and secure destruction and disposal of personal information. One notable exception is that DATA only requires organizations to establish contracts with third parties to protect personal information; it does not require definition of the policy and procedure for vetting the security practices of these organizations. Some state and federal regulations, most notably 201 CMR 17and the HIPAA provide more in depth requirements for dealing with business associates and service providers. This may be an area that the FTC will spell out more clearly if DATA becomes law.
The legislation also does not provide requirements for where encryption is required. State laws and regulations from Massachusetts and Nevada require encryption of personal information when it is transmitted over public networks or stored on removable devices. This may also be an area eventually addressed by FTC regulations or guidance.
BREACH NOTIFICATION RULES
Any organization that has gone through the process of breach notification according to multiple state laws would likely welcome the single set of rules that would come from a federal law.
DATA defines 'breach of security' as the unauthorized access to or acquisition of data in electronic form containing personal information. However, the legislation allows the data owner to avoid the process of notification if the data owner determines that there is a no reasonable risk of identity theft, fraud, or unlawful activity. While this is a rather broad statement, it means, at a minimum, that information that was encrypted and exposed to unauthorized parties would not be considered breached.
In the event of a breach, DATA requires data owners to notify the FTC and directly notify each individual throughout the U.S. whose data has been exposed. This notification must take place within 60 days of discovery of the breach.
The data owner may send notice in writing or electronically. However, electronic notification is only acceptable if the individual has consented to receiving official communications in that manner. In cases where the data owner does not have complete contact information for all individuals, the data owner may use email to the full extent possible, publish a notice on its website, and issue notification in print and broadcast media for areas where the victims reside.
The notification must include a description of the information breached and a toll-free number to inquire about the breach. The letter must also include an offer to receive free quarterly credit reports for two years or a credit monitoring service. The individual must also be given toll-free numbers for credit reporting agencies and contact information for the FTC to learn about identity theft.
|Information Brokers in the Crosshairs|
Companies that collect personal data face extra requirements under DATA
A major difference between state laws and DATA is the set of special requirements for information brokers. DATA requires information brokers to implement additional controls and program elements to those required by data owners. This provision is likely an attempt to avoid another breach like the one involving Choice Point in 2005 by making data brokers accountable to the information they collect and sell.
The legislation defines information brokers as a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers. Information brokers collect such data in order to sell it or provide third party access to it for a fee; they may either collect information themselves or contract others to collect and maintain the information. The definition specifically excludes entities that maintain information about employees, customers, or former customers.
Under DATA, information brokers must establish "reasonable procedures" to assure the accuracy of personal information they collect, assemble, or maintain. In addition to striving to maintain accuracy, they must support a program to respond to individuals' written requests to provide information assembled about them once per year. These responses must be provided at no cost to the individual and the method for submitting requests must be conspicuously advertised on the organization's web site. Individuals must also be able to use this method for expressing a preference as to how their information might be used for marketing purposes.
If someone finds inaccuracies, the information broker must provide a mechanism for the individual to request changes to correct the inaccuracies. If the broker is not the source of the information (e.g., the data was harvested from public records), the brokers must provide the person the source of the information and a method for correcting the inaccuracy at the source organization. The individual may provide proof that the public record has been corrected and require the information broker to correct its version of the information. Someone may also require a broker to mark the information as disputed if it hasn't been corrected.
As proposed by DATA, when an information broker has a breach, it must follow the same reporting procedures as other businesses. However, these organizations must also submit the policies governing their personal data protection program to the FTC as part of the notification and may be required to undergo an FTC security audit. The FTC has the right to request an information broker's policy at any time.
--RICHARD E. MACKEY, JR.
DATA sets out steep penalties for violations, which come in two types: failure to comply with security program requirements, and failure to follow the breach notification rules.
The two types of penalties are calculated differently. The amount for security program penalties is based on the number of days the organization is found to be non-compliant multiplied by a maximum of $11,000 per day. Notification penalties are calculated by multiplying the number of violations --individuals they failed to notify -- by an $11,000 maximum. Each failure to send notification is considered a separate violation. The Act sets the maximum civil penalty for violations of each type to $5 million, making it possible for a single organization to pay up to $10 million for a combination of security program and notification violations.
The biggest difference between existing state laws and the proposed federal laws (both DATA and other similar bills) is the inclusion of special requirements for information brokers. (See sidebar above)This "special treatment" will not be taken well by the large organizations in the information broker business as it increases cost substantially.
It will be interesting to see how information brokers and businesses in general react to these bills as they are debated in the Senate. Maplight.org, a nonprofit, nonpartisan research organization that tracks money and influence in the U. S. Congress, shows that the backers of the bill receive campaign contributions from finance companies and credit agencies. This makes sense as both these groups would benefit from stronger identity controls. Maplight.org shows no money associated with opposition to the bill -- at least not as yet.
DATA clearly has benefits for the general population and, whether they want to admit it or not, businesses that will need to notify people when breaches occur. The overall approach of ensuring that organizations formally protect information, implement sound technical controls that include risk assessment and treatment, and follow a uniform set of notification and support procedures promises to reduce the incidence of identity compromise and create incentives to improve overall security.
Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to firstname.lastname@example.org.