State data breach notification law mishmash would get worse with proposed NC and SD legislation — is instant notification by clairvoyant next?

electrical-cable-mess-2654084_1920The push for a single uniform national data breach notification law gained strength in the wake of the Equifax breach. Now proposed legislation in North Carolina would amend its law in a way that would add momentum to this push. And, now South Dakota is tired of being one of only two states without a breach notification law and wants to abandon Alabama and join the other 48 states by getting a law of its own.

See Why Do Data Breach Disclosures Take So Long? Let’s Ask the SEC Chairman

North Carolina, in a never-ending race to see which state can come up with the most impractical breach notification law, has proposed legislation that would (1) now requiring that companies notify consumers and the state Attorney General of data breaches within 15 days; and (2) adopt the HHS’ view under HIPAA that a ransomware attack is a data breach that requires notification and reporting. You can read more details about the new law here, but this is enough to help you see why even this Texan believes we need a federal breach notification law in place before some state requires instantaneous notification of consumers by a clairvoyant.

South Dakota’s proposed legislation is at least generally consistent with the existing laws of many of the other 48 states. It would require companies to notify its residents whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person, within 45 days from the discovery or notification of the breach. Breaches affecting more than 250 of its residents would require notifying the state’s Attorney General as well. You can read more details about the proposed law here.

Under the proposed laws for both the North Carolina and South Dakota, the failure to comply with the breach notification requirements would be a violation of the respective states’ deceptive trade practices laws.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

National data breach notification law proposed by Senate Commerce Committee members (includes jail?)

Three Democratic senators introduced legislation Thursday requiring companies to notify customers of data breaches within 30 days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches.

https://www.cyberscoop.com/national-data-breach-notification-law-bill-nelson-uber-equifax-hack/

Why do data breach disclosures often take too long? Let’s ask the SEC Chairman.

In the wake of the Equifax and Securities and Exchange Commission’s data breach disclosures, there has been a lot of public outcry over the assertion that it took too long to disclose these data breaches to the public. “Too long” is a relative term, to start with, as I have little doubt that some people will see anything shy of instantaneous disclosure via clairvoyant transmission as taking to too long. But as for the rest of us, it is important to consider why it often takes what appears to be too long for a company (or agency) to disclose a data breach to the public.

In my role as an attorney who has guided many companies through this data breach incident response process, I can tell you from firsthand experience that the most common reason is the company just does not know enough of the facts to justify telling people that their personal information has been compromised when it really does not know whether it has or has not been.

Data breaches do not present themselves to the company with a neat little bow and calling card that says, “Guess what? You have a data breach! On X date, Hacker X accessed your network, took PII records of the following individuals and intends to sell them on the DarkNet. Now go alert the public.”

Instead, data breaches usually start as some anomalous computer event that is detected, gets someone’s attention, and is then looked into to see whether the event is something more, like an incident. But even if it is an incident, that doesn’t mean it’s a data breach. And, just because there is an intrusion (i.e., unauthorized access) to the company’s network does not mean it’s a data breach. It takes time, effort, and good forensics in most cases to determine whether a data breach has actually occurred and, if so, who and what data was affected. If companies notified the public of a “data breach” every time they had an incident or intrusion in their network, it would be a steady stream of notifications and the public would simply ignore them (even more). (Read more about this in my Guide to Responding to Data Breaches: Understanding Data Breach Foundations)

Of the difficulty and subjectivity that goes into balancing these interests and making this determination, the Chairman of the SEC put it very well: “You don’t want to make disclosures that are misleading.” In the case of the SEC’s own breach, he decided it was time to make the disclosure after the SEC had turned up all of the facts that it was going to get before completing its investigation. (SEC Chairman Feels Bipartisan Heat On Breach Disclosure – Law360)

While it’s fun and cool to jump on the bandwagon of companies taking too long to disclose data breaches, we have to be honest with ourselves and ask what we really want companies to do. Are they supposed to willy-nilly alert the public of a potential compromise of their personal data every time they suspect the slightest little thing could have occurred? Is that really what we want? And, in doing so, are they to then risk providing false or misleading information to the public because they are making statements based on nothing more than fear and a hunch?

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Key Points of Delaware’s New Data Breach Notification Law

Delaware recently amended its data breach notification law to include the following requirements:

  • Expanded definition of “personal information” to include biometric data, medical information, passport numbers, routing numbers for accounts, individual taxpayer identification numbers and usernames in addition to the traditional forms of PII such as birth date and social security numbers.
  • Notice to affected individuals within 60 days.
  • Notice to the Delaware Attorney General if the breach affects more than 500 residents of Delaware.
  • Provide one year of free identity theft protection services in breaches where Social Security numbers were compromised (joining CA and CT).

Companies are not required to notify individuals if, after an appropriate investigation (i.e., performing a risk assessment), the company reasonable determines there is no risk of harm to the individuals.

On the cybersecurity side of things, the new law requires companies to “implement and maintain reasonable security” to protect the information a company collects and holds for Delaware residents.

The effective date of the new law is April 14, 2018.

National data breach notification law pros and cons? What do you think?

What are the pros and cons of a national breach notification law?

That is the topic of a discussion among Chief Information Security Officers that I will be moderating for the National Technology Security Coalition (NTSC) CISO Policy Roundtable tomorrow (4/3/17). My goal is to keep my own comments to a minimum, ask good questions, and let the CISOs share their real-world knowledge.

Comments are open so please share your thoughts on this issue. Specifically,

  • What are the questions that need to be asked to facilitate this discussion?
  • What are the critical points that need to be made?

 

Here are a few resources that I found helpful in my research on this issue:

Insider Misuse of Computers: No Big Deal? It Can Be a Data Breach, Ask Boeing

Insider misuse triggers a breach just like outside hackers.

When a company’s information is compromised because of insider[1] misuse of computers or information, regardless of insider’s intentions, the result for the company and the data subjects of that information is often the same as if it were an attack by an outside adversary – it is a data breach.

Boeing’s insider-triggered data breach.

A Boeing employee emailed his spouse an internal company document containing personally identifiable information for about 36,000 co-workers to get help with formatting the document. His intentions were noble and innocent, he wanted to do a good job on the document and believed his spouse could help. The outcome was much different.

See: Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies

Because the sensitive data on its employees left Boeing’s “control” when it passed from an employee to a non-employee, it triggered a data breach. As a result, Boeing had to go through the breach notification process by notifying the 36,000 employees affected, providing them with two years of complimentary credit monitoring services, and notify the attorneys general of Washington, California, North Carolina, and Massachusetts. Read the full story here: Boeing discloses 36,000-employee data breach after email to spouse for help

Why was this a data breach?

In this analysis, you start with the data itself. Was the confidentiality, integrity, or availability of the data compromised? When a company collects, stores, or processes data, it is responsible for the safe keeping of that data, wherever it may be (yes, even if the company entrusts it to another for safekeeping, the company is still responsible). Generally speaking, when that company has employees, contractors, or other workers performing services on its behalf -– insiders — they are treated as being within the company’s control and legal protections of that data and their access to, possession, and use of that data is still within the legal fiction of being within company control. The confidentiality of that data is still intact as long as they are acting within the scope of their permissible role.

Insiders exceeding limitations of access and use of information may trigger breach.

When insiders exceed the boundaries that have been placed upon them by accessing, possessing, or using that data in a manner that is unauthorized by the company, it may result in a data breach, depending upon the particular facts of how it is used, the nature of the data, the type of industry, and any regulatory framework that may apply to that industry. For example, in the healthcare context the HIPAA Privacy Rule would almost certainly classify such a situation as an unlawful use or disclosure, triggering a data breach by the company.

Insiders keeping company information after termination of employment is almost certainly a breach.

When insiders take sensitive company data outside of the company, it will almost certainly trigger a data breach for the company. The most obvious example of this is an employee that retains company data after that employee is no longer employed by the company. Once the employment relationship terminates, the employee’s basic duties to the company also terminate and, unless there is some contractual extension of those duties, the employee possessing that information is no different than the spouse of the Boeing employee possessing the information – it is no longer within the legal fiction of “protections” of the company that maintain its confidentiality. In other words, its confidentiality has now been compromised.

Texas’ breach notification law is triggered by insider misuse.

In most cases, determining whether a breach has occurred will depend on the breach notification laws for the particular jurisdiction where the company does business and where the data subjects of that information reside.[2]

What is a breach of system security under Texas law?

The Texas breach notification law, Breach of Security of Computerized Data,[3] requires any company that conducts business in Texas and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

A “’breach of system security’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”[4]

Regarding insiders, the law specifically states that “[g]ood faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.”[5] In other words, if an insider is authorized to access company SPI for a valid business purpose, and does so, but later uses or discloses that information in an unauthorized manner, it is a data breach under the Texas breach notification statute.

What is sensitive personal information under Texas law?

What is often referred to as personally identifiable information is defined by the Texas data breach notification law as “sensitive personal information” (SPI). The law has a fairly detailed definition of SPI that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Does an employee’s unauthorized taking of company data to use for working for a competitor trigger a data breach under Texas law?

Consider a common scenario in the business world, with a few extra twists for emphasis:

  1. An employee who has had access to and worked with her employer’s customer database containing detailed information and SPI decides to leave the company.
  2. Because she has done most of the work in building up the customer database, she believes she is entitled to have a copy of it for herself so, before giving her notice or actually terminating her employment, she copies the customer database to her personal Dropbox account and saves it to a USB thumb drive.
  3. She then gives her notice, terminates her employment, and goes to work for a competitor.
  4. Once she starts work, she looks for the database but discovers that she lost the USB drive, which was unencrypted, so she downloads the customer database from her Dropbox folder, which also happens to be an openly “shared” folder, freely accessible by anyone on the Internet because she is an amateur photographer and it contains the images she uses to display her work on her blog.
  5. She then begins using her former employer’s customer database without telling her new employer but she does secretly upload the database to her new employer’s computer network.

Texas Broadens Unauthorized Access of Computer Law to Specifically Address Insider Misuse

3 Key Takeaways About Texas’ Unauthorized Access Law

What do you think, data breach or no data breach? In the hypothetical, at which step do you think there became a problem, if any? Please share your answer and reasoning in the comments – this one should be fun!

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

[1] The term “insiders” is often used to refer to “privileged users,” that is, users who have at least some rights, or privileges, to access and use the computers whereas the term “outsiders” refers to users who do not have any access rights, or privileges, to access the computers whatsoever. See Shawn E. Tuma, In Search of the Golden Mean: Examining the Impact of the President’s Proposed Changes to the CFAA on Combatting Insider Misuse, 18 SMU Sci. & Tech. L. Rev. 3, p.4 (2015).

[2] See Shawn E. Tuma, Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies, Cybersecurity Business Law (2016).

[3] Breach of Security of Computerized Data, Texas Bus. & Comm. Code § 521.053.

[4] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).

[5] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).

Yahoo Data Breach: US Senators Demand Answers – Still Think You Don’t Have to Disclose and Notify?

There is a grave and unfortunate misperception among many business leaders who believe that when their company has had a data breach, going through a response and notification of affected individuals is optional. To the educated readers of this blog, this sounds shocking. Sadly, it is something I see on a regular basis. What is worse is that there are far too many lawyers who do not practice in this area but, out of ignorance, advise such clients that it is really not as big of a deal as we are making out of it and that they can just ignore it.  Continue reading “Yahoo Data Breach: US Senators Demand Answers – Still Think You Don’t Have to Disclose and Notify?”

Cybersecurity Legal Issues: What you really need to know (slides)

Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!

Continue reading “Cybersecurity Legal Issues: What you really need to know (slides)”

Cybersecurity Incident Response Checklist

Business leaders, when people like me tell you that having a cybersecurity incident in your company is like being in a building on fire, we are not exaggerating. Take a look at the following checklist (note, this is not an incident response plan!) while keeping in mind that over half of the items on that checklist should be performed almost simultaneously within hours of learning that your company has had a data breach.

While this is not an exhaustive list, these are the items that most often need to be performed in the cases in which I guide clients through the incident response and remediation process. Of course there will be exceptions, additions, and omissions — take this for what it is, a starting point. Finally, note that the picture below is an image of the checklist and is blurry — you can download the original here.

checklist-image

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

 

Cybersecurity: How Long Should An Incident Response Plan Be?

Last evening I had the pleasure of talking cybersecurity law with a group of CIOs from some pretty sophisticated companies. It was a great discussion and I learned as much as I shared — just the way I like it. During our discussion, the subject of Incident Response Plans came up and I explained why these are now a must-have.  Continue reading “Cybersecurity: How Long Should An Incident Response Plan Be?”