So, your business has never had a data breach? Have you ever had an employee leave?

i quitTAKEAWAY: Businesses must protect their data from being taken by anyone who is not authorized to have it — insiders and outsiders alike. If their data is taken in a way that is unauthorized, it is a data breach. When a former employee leaves with a thumb drive, Gmail inbox, or Dropbox of your businesses’ data, that person is then an unauthorized person in possession of your businesses’ data and that is a [YOU FILL IN THE BLANK].

The Problem

Businesses lose employees everyday for various reasons. When an employee is leaving it is not uncommon for them to think something like this:

  • “I did a really great job on that project, that’s really my work, not Tyrannaco’s.”
  • “I brought those customers to Tyrannaco, they are really my customers.”
  • “I did such a great job on that proposal that I am going to keep a copy for a form in case I ever need to do one again.”
  • “The stupid management at Tyrannaco never recognized the value of what I brought to the table — I need to let these people know that I was really the one doing all of the work.”
  • “I always keep a copy of everything I do, that way if it gets lost, I always have a backup copy.”

… and with those rationalizations, and infinitely more, we all know what happens next. The employee decides to keep their own copy of your businesses’ data, including all of the sensitive private information that your businesses’ customers have entrusted to you for your safekeeping. And then the employee decides to open their own business or go to work for one of your competitors and guess what they’ll bring with them …

Let’s summarize: Your customers entrusted your business with their sensitive information, which was taken from your business and is now in the hands of someone else. You, my friend, have been breached!

Now the next section tells you why you should care. I’ll leave it at that, you get the point.

Overview of Texas’ Data Breach Notification Law

Texas’ data breach notification law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 151.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

Any more questions?

Law360 article quotes Shawn Tuma on data privacy significance of U.S. v. Cotterman

Tuma's whiteboard notes - U.S. v. CottermanBrittonTuma partner Shawn Tuma was quoted extensively about last weeks’  United States v. Cotterman opinion in a recent Law360.com article titled “9th Circ. Pioneers Laptop Search Limits in Border Case“. Here are excerpts of what Tuma had to say:

“The court is raising the level of the expectation of privacy in data closer to that of someone’s own human body and further away from that of human property, essentially creating a new standard for data and information,” Shawn E. Tuma of Texas-based law firm BrittonTuma said Monday. “Now, if someone is carrying trade secrets or other intellectual property in a device that is seized at the border, that will have a higher expectation of privacy than other property.”
The impact of this new standard on data breach litigation could extend beyond border issues. According to attorneys, courts often dismiss these suits, finding the plaintiffs didn’t suffer any damages in losing control of their personal data.But if more followed the Ninth Circuit’s example, plaintiffs could gain a stronger argument on the value of compromised or misused information, Tuma noted. And employees could use the decision to oppose policies that allow their employer to search personal devices used for business purposes.

“I can see … an argument based on this case, saying that because the Ninth Circuit found that devices at the border are entitled to a greater expectation of privacy, employers should be held to the same reasonable suspicion standard before being allowed to search employee devices,” Tuma said.

Here is a link to the full article: http://www.law360.com/articles/422542/9th-circ-pioneers-laptop-search-limits-in-border-case 

Tuma provided more explanation of these data privacy implications in two other posts:

Podcast Discussing Data Privacy and Information Security Implications of United States v. Cotterman – Now Available!

You can now listen to the podcast for Courts Showing Greater Respect for Data Privacy – United States v. Cotterman. Click HERE!

For a recap, here is my discussion of this podcast and who participated:

I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Courts Showing Greater Respect for Data Privacy – United States v. Cotterman

TAKEAWAY: Data privacy is gaining respect within the judiciary, as it should because in many ways, data is the new currency and is worthy of protection.

On March 8, 2013 the Ninth Circuit Court of Appeals (en banc) handed down a watershed case with significant privacy implications: United States v. Cotterman, No. 09-10139 (9th Cir. Mar. 8, 2013). This case (including the majority, concurring and dissenting opinions) is 82 pages so plan your time accordingly. It is worth reading because it represents a tug-of-war between competing interests of border security and data privacy. Data privacy may not have scored a knockout but it certainly gained some very important ground.

While analyzing the Cotterman case I made some notes on my whiteboard. Instead of sharing the customary random psychedelic photo with you, I decided to just share an image of the whiteboard so you can see what I thought was really important which I will briefly discuss below.

Note – it is 12:30 on Saturday night and a few hours ago I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

Facts

Cotterman was a sleazebag child molester who had been convicted for molesting a child and apparently traveled out of the country quite frequently. Cotterman was returning from Mexico with his wife, had been visiting a country known for “sex tourism,” and had what was considered to be a significant amount of electronic equipment with him (a laptop and several cameras).

Cotterman was profiled at customs while coming back into America because of the totality of all of these factors which indicated he fit within the parameters of the Operation Angel Watch program aimed at combating child sex tourism. This led to Cotterman and his wife being taken for a heightened inspection. Cotterman’s laptop and cameras were inspected, nothing inappropriate was found during the cursory inspection and he and his wife were allowed to go. Because there were files that were password protected, however, this raised another red flag and the laptop and a camera were held for forensic examination.

The forensic examiner later contacted Cotterman and asked him to provide his password. Cotterman, sensing the inevitable at this point, hopped a plane to Mexico and then on to Sydney, Australia. Meanwhile, the forensic examiner was able to crack the password and discovered 378 child porn pictures and videos, some of which showed Cotterman sexually molesting a young girl between the age of 7 to 10. 

Procedural Posture

The district court determined that the forensic examination of the laptop and camera were improper and excluded the evidence under the exclusionary rule. The prosecutors appealed, arguing that the law was clear that customs had the authority to do a routine border search without the need for any suspicion whatsoever, including the forensic examination.

The key issue in this case was whether it was reasonable to conduct a forensic examination of the computer and camera.

The Ninth Circuit’s Analysis and Ruling

The Ninth Circuit disagreed with the prosecutors argument but ultimately gave them a favorable ruling in the case that enabled the evidence to be used against Cotterman. The court found that, in order to obtain a forensic exam of data on electronic devices, there must be a “reasonable suspicion”, which is a heightened standard over what is typically required for a routine border search. The reason for requiring a reasonable suspicion for a forensics exam is because of the “comprehensive and intrusive nature of forensic examination.” The court also found, however, that the facts of this case satisfied the reasonable suspicion standard and the evidence should not have been excluded.

The court emphasizes protection of data privacy

The court also emphasized that Fourth Amendment protection of “personal papers” directly encompasses data on electronic devices because such data goes to the heart of the notions of freedom of conscious, thoughts, and ideas. Therefore, data on electronic devices is afforded a higher standard of protection than other forms of property. The court expressly stated “data on electronic devices carries with it a significant expectation of privacy.”

The court acknowledged that this case directly implicates substantial personal privacy interests and found that inspecting information individuals stored on digital devices is much less like inspecting an impersonal gas tank and more closer to inspections of people themselves, therefore, requiring a higher standard. In the court’s words: “It was essentially a computer strip search.”

I believe this represents a higher level of respect for the value and importance of data than we have seen out of many courts (especially if you consider that most of the data breach lawsuits have been tossed because there courts find there is no value in the compromised data). For me, this was the true value in this case — let’s see if other courts will follow.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).