Whether or not you view the passage of California's SB 1386 data privacy law in 2003 as a watershed moment in the information security world, few can argue that its enactment significantly changed the infosec playing field.
Although federal legislation had covered certain industry verticals (e.g., GLBA and HIPAA/HITECH), most activity involving broadly applicable privacy and information security laws has occurred at the state level. SB 1386 initiated much of this activity. Over time, a definite trend has emerged: reactive state laws dealing with cybercrime have given way to proactive laws requiring affirmative steps to secure information systems.
Early state data privacy laws criminalized various activities that today would collectively be referred to as "hacking." These reactive laws focus primarily on the hacker—an elusive entity that even if apprehended could not, in most cases, make a victim whole again. These laws often came into play only after a breach event had occurred involving the data of a particular state’s residents. Other than the slight deterrent effect that they might have, the antihacking laws have done little to prevent cybercrime from occurring. Because of this, state legislatures began to realize the need to focus on other parties in the chain of liability.
By passing SB 1386 in 2003, California became the first state with a data breach notification law. With it, not only would the actual wrongdoer be criminally liable, but entities that allow a breach to occur also might bear some liability. Other states soon followed, some with “bright line” legal tests for determining breach occurrence while others have a subjective risk-based standard. Some laws have GLBA or HIPAA safe harbors; others do not. All, however, are still reactive, because they don't kick in until a breach has already occurred. At a minimum, they have created a negative incentive and increased the visibility of information security.
Proactive state data privacy laws
California continued its lead role by passing AB 1950 in 2004. Unlike data breach laws, AB 1950 focuses on whether an entity has in place “reasonable security procedures and practices.” This was one of the first of its kind: a broad-reaching proactive data security statute that places obligations on parties before a breach event has occurred. (Although both HIPAA and GLBA have a similar structure, they are limited to specific industry verticals and are not broadly applicable to all businesses that collect or maintain sensitive personal information.) Many states have now followed suit with similar proactive laws that require reasonable security measures.
Granular information security laws
If we view antihacking laws as a first wave, data breach notification laws as a second wave, and reasonable security measures laws as a third wave, a new, fourth wave of state information security laws would seem to be emerging. The laws in this fourth wave represent an attempt by state legislatures to pass much more granular provisions. To date, Oregon, Massachusetts and Nevada have the most detailed requirements, with Minnesota not far behind.
In Oregon, SB 583 requires companies to implement an information security program that includes administrative, physical and technical safeguards. It then specifies measures for each class of safeguards deemed to be in compliance with the law.
Detailed data security regulations in Massachusetts, 201 CMR 17, took effect in March 2010 and require companies to implement a comprehensive information security program along with certain administrative, technical and physical controls to protect sensitive personal information. Highlights include retaining third-party service providers that can implement appropriate security measures and contractually requiring such measures.
The most compelling trend besides granularity is the incorporation of commercial standards (in particular, elements of the Payment Card Industry Data Security Standard or PCI DSS) into state law. Two states, Nevada and Minnesota, have codified or partially codified the PCI DSS. In Nevada, a business that accepts payment cards must comply with the PCI DSS. This creates a type of “safe harbor.” If the entity is PCI-compliant and the breach is not caused by “the gross negligence or intentional misconduct” of the entity, it will not be liable under the law for damages for a security breach.
The Minnesota law reflects only one part of the PCI DSS and, in many respects, codifies obligations already contained in merchants’ contracts with the card brands. The law forbids entities that handle credit card information from retaining the card security code, PIN or contents of any track of magnetic stripe data after the transaction is authorized. Companies not in compliance with the statute are liable for any fraudulent transactions that result from such noncompliance, as well as the costs of replacing compromised cards.
Data privacy laws: What's next?
I am certainly not a prognosticator and I don’t play one on TV. Having said that, I do believe the trend of increasingly proactive and granular state data privacy laws will continue to evolve in two ways.
First, states will press forward with innovative laws that focus on information security and further refine the obligations of the various stakeholders, specifically the enterprises that collect, process, and maintain data. This may frustrate those entities that employ a somewhat common framework-based approach to compliance, using a single set of controls that cover the existing “patchwork” of laws. Those companies that select one of the most stringent laws and meet its requirements may find the need to update their security posture in response to the legislative “leapfrogging” that could occur.
Second, I believe that we will eventually see data privacy legislation become law at the federal level, though the broad nature of some of the bills over the past few years makes passage difficult. For now though, it seems that there are too many stakeholders with varied interests to get an “omnibus-style” bill on the books. That may change quickly, however, should some type of drastic event occur that gets everyone aligned. Hopefully, that won't be the case.
Randy V. Sabett, J.D., CISSP, is counsel in the Washington, DC office of ZwillGen PLLC and has more than 20 years of infosec experience, including as an NSA cryptography engineer. He counsels clients on information security, IT licensing and intellectual property. He served on the Commission on Cybersecurity for the 44th Presidency and he has been recognized as a leader in privacy & data security in the 2007-2013 editions of Chambers USA. Sabett is an adjunct professor, a frequent lecturer and author, and has appeared on or been quoted in a variety of national media sources.