Since the days of California's pioneering data breach notification law, virtually all states have implemented some form of consumer ID theft protection law. In 2008, the focus shifted to the east coast, when Massachusetts took it beyond notification, and issued their regulations for the protection of personal information, viewed by many as the most proscriptive in the US. This presentation will provide a general overview of state law, but focus on how the MA regulations evolved from the version issued in Sept 2008 to what became effective March 2010, how organizations are responding, and some potential implications for the future.
Allison Dolan, Program Director, Protecting Personally Identifiable Information, Massachusetts Institute of Technology
Allison F. Dolan is currently Program Director, Protecting Personally Identifiable Information at the Massachusetts Institute of Technology. This program is co-sponsored by the Institute Auditor and Vice President for Information Services and Technology (IS&T). Previously, Allison spent 10 years in IS&T, including roles as Director of Shared Services - Finance, Administration and HR, and as Director of Telephony Services. Allison’s MIT experience was preceded by 20 years of combined information systems, operational, and leadership experience at Eastman Kodak. Allison holds a BA degree from the University of Delaware, with a double major in Computer Science and Economics.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
State Data Breach Laws - A National Patchwork Quilt
1. Allison Dolan
Program Director, Protecting Personally
Identifiable Information
Massachusetts Institute of Technology
State Data Breach Laws
….A National Patchwork Quilt
2. • Breach law history
• Massachusetts and other states
• What’s on the horizon
Presentation Overview
10/21/2010 2Rochester Security Summit 2010
3. Key Take-aways
Laws and regulations continue to abound – and
are becoming more proscriptive
Know what state(s) are relevant
Know what industry(s) are relevant
Know what processes you have
10/21/2010 3Rochester Security Summit 2010
4. Laws & Regulations
• FERPA - Family Educational Rights and Privacy Act
• Gramm-Leach-Bliley Act
• HIPAA - Health Insurance Portability and Accountability
Act
• FACTA/Red Flags Rule
• PCI DSS - Payment Card Industry Data Security
Standards
• HITECH Act - Health Information Technology for
Economic and Clinical Health
• State data breach laws, regulations
10/21/2010 4Rochester Security Summit 2010
5. State Laws
2002 – California SB-1386 – consumer notification if
unauthorized access to unencrypted electronic records
with personal information
2005 – New York data breach law GBL 899-aa
2007 – Massachusetts MGL 93H/I
39th state with breach law; 5th to include paper
1st to require “written information security program”
2007 – California AB 1298 added medical and health
insurance information to definition of PI
2010 – 47 states, Puerto Rico, Virgin Islands, DC, NYC with
laws
10/21/2010 5Rochester Security Summit 2010
6. Massachusetts Data Breach Law(M.G.L. c.93H & 93I)
• Personal information (PI) = last name (with first name or
initial), along with one or more of Social Security
Number; Driver’s License # or Mass. ID#; Financial
Account # or Credit/Debit Card #
• Defines obligations re: notification, if paper or electronic
files exposed (irrespective of encryption)
• Includes what must be in notification letter
• When destroyed, must be done such that PI cannot be
practicably read or reconstructed
• Data protection regulations initially issued 9/08;
ultimately effective 3/1/2010
10/21/2010 6Rochester Security Summit 2010
7. Massachusetts Data Protection
Regulations (201 CMR 17)
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
If you have Personal Information, then you have a “duty to
protect” and need to follow “standards to protect”, including:
“Develop, implement, maintain and monitor a …written
information security program” (WISP)
Limit access and ensure user authentication & authorization
“Oversee” 3rd parties
Encrypt transmitted records and personal information stored
on laptops or other portable devices.
Maintain up-to-date versions of system security including
malware protection, patches and virus definitions
…plus other requirements
10/21/2010 7Rochester Security Summit 2010
8. Massachusetts Data Protection
Regulations Evolution
• Office of Consumer Affairs and Business Regulation
promulgated regulations; Attorney General responsible for
enforcement
• Draft regulations 2/08
• Included technical detail for encryption requirements
• A lot of feedback
• Issued 9/08, with 1/1/09 effective date
No technical requirements for encryption
“Certification” of 3rd parties
Implied requirement to inventory PI
Standards were ‘one size fits all’
10/21/2010 8Rochester Security Summit 2010
9. Massachusetts Data Protection
Regulations Evolution con’t
4 postponements with revisions
Added emphasis on risk based approach – small business
with little PI have different risk than large company
Made more explicit that ‘written program’ could consist
of compilation of existing written policies/practices
Need to “oversee” 3rd parties by taking “reasonable
steps” to ensure 3rd party can protect information
Entire IT section prefaced with “to the extent technically
feasible”
10/21/2010 9Rochester Security Summit 2010
10. California redux
• 2007 – AB 1298 added medical information and health
insurance information to the definition of PI
2010 – SB 1166
Additional information in notification letters, including
Type of personal information exposed
Description of incident, including date
Steps organization is taking to protect individuals
Steps consumers can take to protect themselves,
including contact information for credit reporting
agencies
Breach affecting >500 must review notification letter with
AG
10/21/2010 10Rochester Security Summit 2010
11. State comparisons
All(?) focus on state residents (not company residence)
Most focus on electronic records; few include paper/other
media
Most include SSN, Driver’s License/state issued id, CCN,
financial account numbers; some limit only if PID/PIN
included
Some include mother’s maiden name, date-of-birth, etc
Many exempt ‘protected’ or encrypted records
10/21/2010 11Rochester Security Summit 2010
12. State comparisons
State agency notification varies – e.g. AG, others, none
Template for notification letter varies – e.g., some require
details of breach (when, how, #), others preclude details
Timeframe varies – “without unreasonable delay”, “5 days”;
often exception for police investigation
Harm threshold varies – no threshold thru “reasonably
believed to have been acquired by an unauthorized person”
Quantity threshold varies – 1 to 1,000 (also, maximum for
personal notification)
Penalties vary, some with maximums
Private right to action varies
10/21/2010 12Rochester Security Summit 2010
13. Federal Trends
HITECH (2/2009)
notification requirements for HIPAA Covered Entities and
Business Associates
national database
HHS AND State AG enforcement
Data Breach Notification Act (introduced 1/2009)
Authorize AG to bring civil action if notification did not
occur
Extends notification requirement to government agencies
Personal Data Privacy and Security Act (introduced 7/2009)
Set criminal penalties for willful concealment of breach
Require preventative security standards
10/21/2010 13Rochester Security Summit 2010
14. Federal Trends
2010 Data Security Act SB 3579 (2007, reintroduced 7/2010)
preempt state laws;
modeled after GLBA;
establish “appropriate standards” for administrative,
technical and physical data protection
Data Security and Breach Notification Act of 2010 S.3742
Require protection of PI (FTC to set national standards)
Require notification within 60 days
Require offering 2 years of credit protection
Up to $5 million in civil penalties
Exemption for entities covered by FCRA
10/21/2010 14Rochester Security Summit 2010
15. In Our Future?
More European-style controls?
More items to be protected?
Photographs
Biometrics
IP addresses
More contractual requirements between organizations?
More definition of how information is to be protected?
10/21/2010 15Rochester Security Summit 2010
16. Summary
Know the states(s) represented in your business (employees,
customers, vendors, affiliates)
Know the industry(s) represented in your business (health,
insurance, finance, retail)
Know the major business processes (HR, procurement,
finance, business operations)
You are prepared when
- new laws enacted
- business processes change
- company changes (acquisition, divestiture, etc.)
10/21/2010 16Rochester Security Summit 2010
17. Quiz
Following examples from http://www.idtheftcenter.org/artman2/publish/itrc-
news/Notification_Roulette.shtml
1 Paperwork containing personal and financial information was found littering the streets of Buffalo, New
York. The customer records were from Rent-a-Center. Do they have to notify you?
2 In Arizona, thousands of pages of sensitive information reportedly disposed of by The Vine Tavern and
Eatery contained people’s names, Social Security numbers and dates of birth from restaurant
applications, as well as checks with banking information and also credit card receipts with full card
numbers from Vine customers. The receipts revealed a person’s entire credit card number.
3 Over 40,000 intact patient records containing personal and medical information were found in a pile
described as 20’ long by 20’ wide at Georgetown Transfer Station in Massachusetts. The records, from
four hospitals, had reportedly been dumped there by the medical billing service they had used.
4 An unknown number of canceled checks bearing Social Security and bank account numbers of Rockland,
Massachusetts town employees are missing after wind knocked them from a loaded recycling truck.
5 Approximately 30,000 estimated tax payments with checks wound up in the San Francisco Bay after the
truck transporting them to the Internal Revenue Service was involved in an accident and wind blew the
mail into the bay.
6 Boxes with 1,590 patient records from a Charlotte, North Carolina’s psychologist’s practice were left at a
county recycling facility because the psychologist’s sons mistakenly took the wrong boxes to be recycled.
The records contained patient names, contact information, Social Security numbers, credit card numbers
and medical histories.
10/21/2010 17Rochester Security Summit 2010
18. Quiz
7 In Illinois, hundreds of sensitive documents that were provided to the law firm of Robert J. Semrad &
Associates, also known as DebtStoppers USA, ended up in a trash bin in an area the firm shares with
other businesses. The “Client Information Sheets” contained Social Security numbers, full names and
addresses, driver’s license numbers and signed debit card authorizations.
8 75 legal files were found in a dumpster off Interstate 10 near Boerne, Texas. The files, which included
peoples’ names, addresses, bank accounts, social security numbers, driver license numbers, and birth
dates, belonged to attorney David Naworski, who readily acknowledged throwing them away
unshredded and said he was unaware of any state law on disposal.
9 Three small file boxes full of decade-old personal records belonging to customers of the First Federal
Savings Bank were found near a residential street in Bryan, Texas. The bank had apparently closed its
doors under that name around 2002 and has been acquired by several banks since then. The current
owner says that they never assumed ownership of those bank records.
10 Credit-card numbers from 17,000 guests at the Emily Morgan Hotel in San Antonio were stolen and used
in a three-state shopping spree. Officials say the suspects used stacks of stolen credit-card receipts from
a storage room at the hotel in 2006.
11 The University of Florida discovered that 2,047 people that their Social Security or Medicaid
identification numbers included on address labels affixed to letters inviting them to participate in a
research study. The letters were sent through the U.S. Postal Service on May 24, and the information
also was shared with a telephone survey company.
12 In Maryland, Montgomery County’s Department of Health and Human Services is looking into how
numerous Wheaton nursing home papers containing sensitive patient information have made their way
into nearby neighbors’ yards over the past few months. The exposed internal documents contained
patient conditions, names and Social Security numbers.
10/21/2010 18Rochester Security Summit 2010
19. Resources
• Map and other state/Canadian info: http://www.nymity.com/About_Nymity/Nymity_Maps.aspx
• privacylaw.proskauer.com/articles/security-breach-notification-l/
• summary of state data breach requirements:
www.perkinscoie.com/news/pubs_detail.aspx?publication=26596137-b74f-4b68-8063-93f996f233e9
• list of state breach statutes:
www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/OverviewSecurityBreaches/tabid/1
3481/Default.aspx
• www.ncsl.org/Default.aspx?TabId=13489
• "Intersections - Data Breach Consumer Notification Guide” details each state's law, 118 pages, contact info
www.intersections.com 888.283.1725 DataBreachServices@Intersections.com
• www.sb-1386.com/Guide to CA regulations
• Breach notification letters: datalossdb.org/incident_highlights/34-data-breach-notification-letters
• NY Guide to handling PII:
www.nysconsumer.gov/pdf/protecting/information_privacy/the_new_york_business_guide_to_privacy.pdf
• Summary of US privacy laws, (undated) www.bbbonline.org/understandingprivacy/library/fed_statePrivLaws.pdf
10/21/2010 19Rochester Security Summit 2010
21. Places to look for PII/SSN
Employee Processes
• Job Applications
• Background checks
• New hire paperwork - I-9,
Federal/State tax withholding,
benefit enrollment, other new
hire forms
• Payroll, timecards,
paychecks,direct deposit
forms; wage garnishing
requests
• Ongoing benefit and 401(k)
processes
• Status changes (e.g. marriage)
• Worker’s compensation,
medical leave form
• Employee loan programs
• Specialized certifications (e.g.,
nurse, engineer)
• Special requirements (e.g. top
secret clearance,
confidentiality agreement,
employment contracts)
• Employee reporting (e.g.
annual reviews)
• Union reporting
10/21/2010 21Rochester Security Summit 2010
22. Places to look for PII/SSN
Customer Processes
• Services that require
customer’s PII - e.g., banking
and financial services,
education services, car
rentals, tax preparations,
accounting, etc.
• Products/services with check
and/or credit card payments
• Services that require PII of
others - e.g., 401(k)
administrators, benefit
providers, underwriters,claim
administrators
• Services that may involve
access to PII of others - e.g.,
backup service providers,
shredding services, IT
application developers and
system admins, custodians
10/21/2010 22Rochester Security Summit 2010
23. Places to look for PII/SSN -
Financial Processes
• Vendor files/vendor payments
e.g., independent contractors
• Employee reimbursements
(look at form used to request
reimbursements, as well as
backup to request)
• Honorarium
• Employee awards
• Customer rewards, awards, or
payments
• Other payments - e.g.,
payments to ‘one-off’
vendors, research subjects,
casual labor
• Taxes
• State or federal government
reporting- corporation
reports, real estate
transactions
• Financial reporting - SEC
10/21/2010 23Rochester Security Summit 2010
24. Places to look for PII/SSN -
Miscellaneous Processes
• State visits
• Any service that predates
non-SSN organizational id
(e.g. library, parking, travel,
conference attendance)
• Insurance (beneficiaries)
• Legal (subpoenas, court
records,etc.)
• Audit (if PII part of the
process that was audited)
• Research grants (pre-2009)
• Medicare
• Internal medical
• System backups
• Paper archives
• Printing/scanning with
devices that retain
information
• PCs after ‘delete trash’; prior
to deployment
• Email
10/21/2010 24Rochester Security Summit 2010
Notas del editor
1
What this means to companies in general - some industries, like Health Care, already ‘covered’;
Ask audience – who is
NY?
Health Care?
Retail?
Any international?? If so – can’t help
Review of federal… FERPA – 1972; no notification; GLB – basis for many state laws; HIPAA – protection, but no notification; FACTA – data protection PCI – notify banks, but not consumers; HITECH – first federal. State
HITECH FIRST NATIONAL DATA BREACH – ALSO, STATE AG INVOVEMENT – Conn was first
Ask about what ones are relevant to audience
MA definition of PI fairly typical
MA seems to be influencing other – this bit of background might be useful
OCABR and AG – didn’t talk with each other – ie what OCABR expected and what AG doing not necessarily in synch
Technically feasible – that means what is ok today, might not be in the future…
Mention CA law re: medical notification within 5 days - $100/day/record penalty up to a maximum
Significant implications of multi state breach –
Minimum – different letters
If <1000 in state with 1K threshold, but 10 in state with no threshold – do you notify the 10 and not the 999?
Bills on calendar for full senate
FCRA – Fair Credit Reporting Act
1)No. Even though financial information about you was exposed, it was exposed by a business, not a regulated financial institution. New York State law does not require businesses to notify consumers of breaches involving paper records.
2)No. Not only does Arizona law not require notification of breaches involving paper records, but there is no law preventing such dumping of records. Arizona’s protections are significantly less than many other states’ because AZ also does not require breach notification for computerized data unless the breach is “reasonably likely to cause substantial economic loss.” For a state that claims to be worried about ID theft due to immigration concerns, their lack of state laws to secure data and notify individuals of breaches is surprising.
3)Yes. The federal medical privacy law known as HIPAA, as amended by ARRA, requires all covered entities to notify affected individuals even if the records are in paper format. But: covered entities do not have to notify individuals unless there is a “significant risk of harm” to the individual. The U.S. Dept. of Health & Human Services has recently withdrawn this breach notification rule and it is undergoing further consideration. Even if this breach did not have to be reported under HIPAA, however, it would likely have to be reported under Massachusetts state law, which does cover paper records.
4)Yes, the town would likely be obligated to report the breach under Massachusetts law.
5)Yes, the IRS would likely be obligated to notify, but since the mail had not yet been opened, they had no idea whom to notify.
6)Yes, under both HIPAA and North Carolina law. North Carolina is one of only a few states that include paper records in their breach notification law.
7)Probably not. Illinois law does not cover paper breaches and it is not clear to me whether bankruptcy lawyers would be covered under the Federal Trade Commission (FTC) Safeguards Rule. This is a useful example of how consumers do not have a simple and clear understanding of whether they will be notified or not. Do we need to become lawyers to figure out which laws apply and how?
8)No. Although Texas requires businesses to dispose of records securely and the state attorney general can bring charges against or sue a business for improper disposal. here is no requirement that the entity notify individuals of a breach involving paper records.
9)I would say “yes” because it was a financial institution and the records contained sensitive information, but since the bank no longer exists, who is going to notify you?
10)No. Although the hotel did notify affected customers (once they realized there had been a breach and were able to figure out who to notify), Texas law does not mandate breach notification if the breach involved paper records. Credit card receipts are paper records.
11)No. Although the University notified affected individuals, Florida law does not require notification if the breach involves paper records. Nor does FERPA, the federal educational rights privacy law that applies to public universities and schools, require notification of breaches.
12) No. I bet you thought I was going to say “Yes, under HIPAA,” but nursing homes are not covered by HIPAA and Maryland does not require breach notifications if the breach involves paper records.